Parse Problem on Certain OpenSSL Certificates

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
lock attach
Attachments are accessible only for community members.
Anonymous
Not applicable

Wiced Version: 3.1.2.

I am using self signed certificates generated with OpenSSL for a server I want to connect with a WICED Wi-Fi module. On certain certificates I get an error while loading/parsing the certificate with wiced_tls_init_root_ca_certificates. The result error code is 3035.

Further investigation has shown that this problem is depending on how start and expiration date is set during generation of the certificate.

Not working example:

openssl req -new \

    -config etc/root-ca.conf \

    -out ca/root-ca.csr \

    -keyout ca/root-ca/private/root-ca.key

openssl ca -selfsign \

    -config etc/root-ca.conf \

    -in ca/root-ca.csr \

    -out ca/root-ca.crt \

    -extensions root_ca_ext \

    -startdate 20150101120000Z -enddate 20160101110000Z

Results in this not working certificate:

-----BEGIN CERTIFICATE-----

MIIDXDCCAkSgAwIBAgIBBDANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO

MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAi

GA8yMDE1MDEwMTEyMDAwMFoYDzIwMTYwMTAxMTEwMDAwWjA9MQswCQYDVQQGEwJD

SDEOMAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBF

UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMktBPphlQqgd7/3oQ6S

bnB68E/O8p8OR07AHeleBlOPr6qzcGmLpTJiREaw2FYK5OuEVvlwqd7IHzm4P3l5

khLMBRCSSq3tgOV/+5RJUd1CeH26Tur6jIJdZWkF9AbrxIJVhTeFp0vp5SbFUI6+

mCC5cybeNsytcDL8T1UvabIJvJpZrl3+s2kfLDsD77k5q8Ic+l4xUIhQKKbK4piA

no6+OUdmqBMWq3xz9PZeuu/ZclHKl9HbP5vzZ9reHZYUQiF01T4fEVp7gt8I6JYK

EWlFa5bTgOTrIIllINOlamj4EABALrLJG94k4E1tLO46Zn8ZF6sfsHDM3VXVoWl0

TpcCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYD

VR0OBBYEFMJ/8+Bs9yh3k+7D4Sy2E/vjXvgzMB8GA1UdIwQYMBaAFMJ/8+Bs9yh3

k+7D4Sy2E/vjXvgzMA0GCSqGSIb3DQEBBQUAA4IBAQCZ1FnebQY1ARj/sCA7jf/F

KzzX7ZmCYV1Wmkvt+g7BSmubcHgXNiDU2KCDeXt3oxz4P/Pwpnz3WxxaeU/NbCF4

GKCrpgy4myYcAch4AyUw1IkesfQZ55VAPYufCS9DHka3kj+OVXRv8tbyvZfKNXuF

Rx41IBvkCKSGLXL9CQExUxZD7VoKwQfNhwoh6b7MAIq478gSXb9LcunWkXIdj0ks

vbHjZTxv+0Jd7I2NctYuu3szyXRV0puTFewjBDYBgMrIn8ZpVsGZvI7fc6/t/9sE

a9JbZECun8rKSWZ57KPfJ2sAMCfA158casUVdkCel2+ioWKOnlCdTD0Yt0H34+6U

-----END CERTIFICATE-----

But if the expiration is set in days with the following command:

openssl ca -selfsign \

    -config etc/root-ca.conf \

    -in ca/root-ca.csr \

    -out ca/root-ca.crt \

    -extensions root_ca_ext \

    -days 365

Results in this working certificate:

-----BEGIN CERTIFICATE-----

MIIDWDCCAkCgAwIBAgIBBjANBgkqhkiG9w0BAQUFADA9MQswCQYDVQQGEwJDSDEO

MAwGA1UECgwFRXJnb24xCzAJBgNVBAsMAkVTMREwDwYDVQQDDAhFcmdvbiBFUzAe

Fw0xNTA0MjQxMzE4MTZaFw0xNjA0MjMxMzE4MTZaMD0xCzAJBgNVBAYTAkNIMQ4w

DAYDVQQKDAVFcmdvbjELMAkGA1UECwwCRVMxETAPBgNVBAMMCEVyZ29uIEVTMIIB

IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyS0E+mGVCqB3v/ehDpJucHrw

T87ynw5HTsAd6V4GU4+vqrNwaYulMmJERrDYVgrk64RW+XCp3sgfObg/eXmSEswF

EJJKre2A5X/7lElR3UJ4fbpO6vqMgl1laQX0BuvEglWFN4WnS+nlJsVQjr6YILlz

Jt42zK1wMvxPVS9psgm8mlmuXf6zaR8sOwPvuTmrwhz6XjFQiFAopsrimICejr45

R2aoExarfHP09l6679lyUcqX0ds/m/Nn2t4dlhRCIXTVPh8RWnuC3wjolgoRaUVr

ltOA5OsgiWUg06VqaPgQAEAusskb3iTgTW0s7jpmfxkXqx+wcMzdVdWhaXROlwID

AQABo2MwYTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E

FgQUwn/z4Gz3KHeT7sPhLLYT++Ne+DMwHwYDVR0jBBgwFoAUwn/z4Gz3KHeT7sPh

LLYT++Ne+DMwDQYJKoZIhvcNAQEFBQADggEBABqlLoN1sKtRaETHw+kkNcSkEqp2

EB0wPFuQAtJWdfCuM17nhK5GpJiAhT/jfVu+TnfGkLi8Pp+x4kuTeClPS23NgOy4

OH6C30Zr+uRSmjwgpdA6fSGjB8rBGrGq2PlEu/8bQuYKcLbdY3upI74CvWxvNdyj

mz6F8ygcq7ksOhsh/1bvpoTDqzV04xCCeE9jwYOvh7/TZBGGugFH5KArQf15vOk/

FwCAsxtG6DJaRpMsd40X6LoPOVUTNnMYO6ZZyenhReNj1YviA5RzHWit/DTGa08p

GoNFkHs782zb0a+zLoI+Q/FiWWA//QkVjlMoSOj/Oh+oLhuAp96dT8x5OuI=

-----END CERTIFICATE-----

Is this a known issue. Other tools say both certificate are perfectly valid:

Certificate Decoder - Decode certificates to view their contents

Attached you also find the root-ca.conf file, to replay the examples from above.

Thanks and BR

Gert

0 Likes
4 Replies
VikramR_26
Employee
Employee
25 sign-ins 10 sign-ins 10 comments on KBA

Also I see your certificate files with incorrect indentation.

We have provided a sample application here. Kindly let us know if this helps.

Broadcom/WICED_parse · GitHub

0 Likes
Anonymous
Not applicable

vik86

I am facing the same problem. My certificate (in PEM format) from Amazon is being parsed correctly by the certificate decoder.

However, when the x509_convert_pem_to_der() function tries to convert it into DER, it returns NULL, when looking for the first line -----BEGIN CERTIFICATE-----

0 Likes
Anonymous
Not applicable

vik86: what do you mean by incorrect indentation? The sample application did not help me.

Anonymous
Not applicable

As mentioned by mkochhal, you can use the tool to format the certificates.

The link to the tool is :- 

https://community.broadcom.com/external-link.jspa?url=https%3A%2F%2Fwww.samltool.com%2Fformat_x509ce...

Also, you can refer to this discussion for more information.

Re: 3.4.0-AWS mqtt connect failed

Hope that helps.

Best Regards,

AB

0 Likes