Share via

IoT Hub x509 Server Certificate won't verify

mdf 6 Reputation points
2022-06-07T13:51:01.293+00:00

I am trying to connect to Azure Iot Hub using x509 certificate authorization.

I have created the certificates for my device using these instructions: https://learn.microsoft.com/en-us/azure/iot-hub/tutorial-x509-scripts

However, the Server certificate won't verify. Here is the console output from the TLS handshake: 

 Loading the CA root certificate  
mbedtls_ssl_setup : 0  
cert size[1874]  
mbedtls_x509_crt_parse() ca_certificate returned 0  
 Loading the device certificates(s) ...  
device cert size[1964]  
mbedtls_x509_crt_parse() device_certificate returned 0  
  . Verifying X.509 certificate...  
Verify requested for (Depth 1):  
cert. version     : 3  
serial number     : CD:96:3B:05:EB:BC:9F:49  
issuer name       : CN=Azure IoT Hub CA Cert Test Only  
subject name      : CN=Azure IoT Hub CA Cert Test Only  
issued  on        : 2022-05-16 18:43:33  
expires on        : 2022-06-15 18:43:33  
signed using      : RSA with SHA-256  
RSA key size      : 4096 bits  
basic constraints : CA=true  
key usage         : Digital Signature, Key Cert Sign, CRL Sign  
  
  This certificate has no flags  
  
Verify requested for (Depth 0):  
cert. version     : 3  
serial number     : 03  
issuer name       : CN=Azure IoT Hub CA Cert Test Only  
subject name      : CN=mydevice  
issued  on        : 2022-05-16 19:03:25  
expires on        : 2022-06-15 19:03:25  
signed using      : RSA with SHA-256  
RSA key size      : 4096 bits  
basic constraints : CA=false  
cert. type        : SSL Client, Email  
key usage         : Digital Signature, Non Repudiation, Key Encipherment  
ext key usage     : TLS Web Client Authentication, E-mail Protection  
  
  This certificate has no flags  
 ok  
wz_tls_init [1]  
socket open port : 0  
socket[0]  
server ip : <Azure IoT Hub> port : 8883  
init connect[1]  
  . Performing the SSL/TLS handshake...Port:[0]/Send(522) :  
  
Verify requested for (Depth 1):  
cert. version     : 3  
serial number     : 0F:14:96:5F:20:20:69:99:4F:D5:C7:AC:78:89:41:E2  
issuer name       : C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root  
subject name      : C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01  
issued  on        : 2020-07-21 23:00:00  
expires on        : 2024-10-08 07:00:00  
signed using      : RSA with SHA-256  
RSA key size      : 4096 bits  
basic constraints : CA=true, max_pathlen=0  
key usage         : Digital Signature, Key Cert Sign, CRL Sign  
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication  
certificate policies : ???, ???, ???  
  **! The certificate is not correctly signed by the trusted CA**  
  
  
Verify requested for (Depth 0):  
cert. version     : 3  
serial number     : 12:00:2C:E1:40:0A:44:9A:D8:39:95:5F:BB:00:00:00:2C:E1:40  
issuer name       : C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01  
subject name      : CN=*.azure-devices.net  
issued  on        : 2022-06-04 09:00:01  
expires on        : 2022-11-04 09:00:01  
signed using      : RSA with SHA-256  
RSA key size      : 2048 bits  
subject alt name  :  
    dNSName : *.azure-devices.net  
    dNSName : *.amqpws.azure-devices.net  
    dNSName : *.su.management-azure-devices.net  
key usage         : Digital Signature, Key Encipherment, Data Encipherment  
ext key usage     : TLS Web Server Authentication, TLS Web Client Authentication  
certificate policies : ???, ???  
  
  This certificate has no flags  
  
 failed  
  ! mbedtls_ssl_handshake returned -9984:  
wz_tls_connect [-1]

Thanks in advance.

Azure IoT Hub
Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
1,272 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. mdf 6 Reputation points
    2022-06-15T14:00:38.567+00:00

    I fixed this on my own, through trial and error.

    The instructions referenced above create three files:

    1. azure-iot-test-only.root.ca.cert.pem
    2. new-device.cert.pem
    3. new-device.key.pem

    File 1 is uploaded to Azure and verified there.
    Files 2 and 3 are used by the device.

    During the TLS handshake when connecting to Azure Iot Hub, the server (Azure) sends a certificate which must be verified by the device. That's where it was failing to verify. I had included File 1 for this purpose (as the TLS ca-cert), but that doesn't work. Azure IoT Hub is sending a Baltimore based certificate, so the device needs a Baltimore cert to verify it. That is not clear in the instructions.

    The Baltimore (and Digicert) pem files can be obtained with this script (with Bash on Linux): 

    #!/bin/bash  
# Copyright (c) Microsoft Corporation. All rights reserved.  
# SPDX-License-Identifier: MIT  
# Copied from github.com/Azure/azure-sdk-for-c/blob/main/sdk/samples/iot/aziot_esp32/create_trusted_cert_header.sh  
#  
# to execute:  sh create_trusted_cert_header.sh  
  
set -x # Set trace on  
set -o errexit # Exit if command failed  
set -o nounset # Exit if variable not set  
#set -o pipefail # Exit if pipe failed  
  
command -v xxd >/dev/null 2>&1 || { echo >&2 "Please install xxd."; exit 1; }  
  
wget https://cacerts.digicert.com/BaltimoreCyberTrustRoot.crt.pem -O ca1.pem  
wget https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem -O ca2.pem  
  
cat ca1.pem > ca.pem  
cat ca2.pem >> ca.pem  
  
echo -n -e '\0' >> ca.pem  
xxd -i ca.pem ca.h

    My device can now complete the handshake and publish/subscribe with Azure IoT Hub

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.