- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wiced Version: 3.1.2.
I am using self signed certificates generated with OpenSSL for a server I want to connect with a WICED Wi-Fi module. On certain certificates I get an error while loading/parsing the certificate with wiced_tls_init_root_ca_certificates. The result error code is 3035.
Further investigation has shown that this problem is depending on how start and expiration date is set during generation of the certificate.
Not working example:
openssl req -new \
-config etc/root-ca.conf \
-out ca/root-ca.csr \
-keyout ca/root-ca/private/root-ca.key
openssl ca -selfsign \
-config etc/root-ca.conf \
-in ca/root-ca.csr \
-out ca/root-ca.crt \
-extensions root_ca_ext \
-startdate 20150101120000Z -enddate 20160101110000Z
Results in this not working certificate:
-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO
MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAi
GA8yMDE1MDEwMTEyMDAwMFoYDzIwMTYwMTAxMTEwMDAwWjA9MQswCQYDVQQGEwJD
SDEOMAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBF
UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMktBPphlQqgd7/3oQ6S
bnB68E/O8p8OR07AHeleBlOPr6qzcGmLpTJiREaw2FYK5OuEVvlwqd7IHzm4P3l5
khLMBRCSSq3tgOV/+5RJUd1CeH26Tur6jIJdZWkF9AbrxIJVhTeFp0vp5SbFUI6+
mCC5cybeNsytcDL8T1UvabIJvJpZrl3+s2kfLDsD77k5q8Ic+l4xUIhQKKbK4piA
no6+OUdmqBMWq3xz9PZeuu/ZclHKl9HbP5vzZ9reHZYUQiF01T4fEVp7gt8I6JYK
EWlFa5bTgOTrIIllINOlamj4EABALrLJG94k4E1tLO46Zn8ZF6sfsHDM3VXVoWl0
TpcCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYD
VR0OBBYEFMJ/8+Bs9yh3k+7D4Sy2E/vjXvgzMB8GA1UdIwQYMBaAFMJ/8+Bs9yh3
k+7D4Sy2E/vjXvgzMA0GCSqGSIb3DQEBBQUAA4IBAQCZ1FnebQY1ARj/sCA7jf/F
KzzX7ZmCYV1Wmkvt+g7BSmubcHgXNiDU2KCDeXt3oxz4P/Pwpnz3WxxaeU/NbCF4
GKCrpgy4myYcAch4AyUw1IkesfQZ55VAPYufCS9DHka3kj+OVXRv8tbyvZfKNXuF
Rx41IBvkCKSGLXL9CQExUxZD7VoKwQfNhwoh6b7MAIq478gSXb9LcunWkXIdj0ks
vbHjZTxv+0Jd7I2NctYuu3szyXRV0puTFewjBDYBgMrIn8ZpVsGZvI7fc6/t/9sE
a9JbZECun8rKSWZ57KPfJ2sAMCfA158casUVdkCel2+ioWKOnlCdTD0Yt0H34+6U
-----END CERTIFICATE-----
But if the expiration is set in days with the following command:
openssl ca -selfsign \
-config etc/root-ca.conf \
-in ca/root-ca.csr \
-out ca/root-ca.crt \
-extensions root_ca_ext \
-days 365
Results in this working certificate:
-----BEGIN CERTIFICATE-----
MIIDWDCCAkCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO
MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAe
Fw0xNTA0MjQxMzE4MTZaFw0xNjA0MjMxMzE4MTZaMD0xCzAJBgNVBAYTAkNIMQ4w
DAYDVQQKDAVFcmdvbjELMAkGA1UECwwCRVMxETAPBgNVBAMMCEVyZ29uIEVTMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyS0E+mGVCqB3v/ehDpJucHrw
T87ynw5HTsAd6V4GU4+vqrNwaYulMmJERrDYVgrk64RW+XCp3sgfObg/eXmSEswF
EJJKre2A5X/7lElR3UJ4fbpO6vqMgl1laQX0BuvEglWFN4WnS+nlJsVQjr6YILlz
Jt42zK1wMvxPVS9psgm8mlmuXf6zaR8sOwPvuTmrwhz6XjFQiFAopsrimICejr45
R2aoExarfHP09l6679lyUcqX0ds/m/Nn2t4dlhRCIXTVPh8RWnuC3wjolgoRaUVr
ltOA5OsgiWUg06VqaPgQAEAusskb3iTgTW0s7jpmfxkXqx+wcMzdVdWhaXROlwID
AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUwn/z4Gz3KHeT7sPhLLYT++Ne+DMwHwYDVR0jBBgwFoAUwn/z4Gz3KHeT7sPh
LLYT++Ne+DMwDQYJKoZIhvcNAQEFBQADggEBABqlLoN1sKtRaETHw+kkNcSkEqp2
EB0wPFuQAtJWdfCuM17nhK5GpJiAhT/jfVu+TnfGkLi8Pp+x4kuTeClPS23NgOy4
OH6C30Zr+uRSmjwgpdA6fSGjB8rBGrGq2PlEu/8bQuYKcLbdY3upI74CvWxvNdyj
mz6F8ygcq7ksOhsh/1bvpoTDqzV04xCCeE9jwYOvh7/TZBGGugFH5KArQf15vOk/
FwCAsxtG6DJaRpMsd40X6LoPOVUTNnMYO6ZZyenhReNj1YviA5RzHWit/DTGa08p
GoNFkHs782zb0a+zLoI+Q/FiWWA//QkVjlMoSOj/Oh+oLhuAp96dT8x5OuI=
-----END CERTIFICATE-----
Is this a known issue. Other tools say both certificate are perfectly valid:
Certificate Decoder - Decode certificates to view their contents
Attached you also find the root-ca.conf file, to replay the examples from above.
Thanks and BR
Gert
- Labels:
-
RegulatoryCertification
- Tags:
- teaser
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I see your certificate files with incorrect indentation.
We have provided a sample application here. Kindly let us know if this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am facing the same problem. My certificate (in PEM format) from Amazon is being parsed correctly by the certificate decoder.
However, when the x509_convert_pem_to_der() function tries to convert it into DER, it returns NULL, when looking for the first line -----BEGIN CERTIFICATE-----
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vik86: what do you mean by incorrect indentation? The sample application did not help me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mentioned by mkochhal, you can use the tool to format the certificates.
The link to the tool is :-
Also, you can refer to this discussion for more information.
Re: 3.4.0-AWS mqtt connect failed
Hope that helps.
Best Regards,
AB