CC3100 - AWS certificates

Lenio Cacula

Other Parts Discussed in Thread: CC3100, CC3200

My customer is having issues in converting certificates with AWS/CC3100.

The certificates are generated by following the instructions in this link:

https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

Since the CC3100 requires certificates to be in der format, the customer converted the certificates from their original pem format using the following commands:

$ openssl pkcs7 -print_certs -in deviceCertAndCACert.p7b -text -noout

$ openssl pkcs7 -print_certs -in deviceCertAndCACert.p7b -outform der -out deviceCertAndCACert.der

$ openssl x509 -outform der -in deviceCertAndCACert.crt -out deviceCertAndCACert.der

The first command:

$ openssl pkcs7 -print_certs -in deviceCertAndCACert.p7b -outform der -out deviceCertAndCACert.der

produces the deviceCertAndCACert.der file and it looks somewhat ok when viewed as hex but when running the following:
$ openssl x509 -inform der -in deviceCertAndCACert.der -text -noout
It yields:
unable to load certificate
9100:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1197:
9100:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

With the second command:
$ openssl x509 -outform der -in deviceCertAndCACert.crt -out deviceCertAndCACert.der

produces the deviceCertAndCACert.der file but the file size is too small and when run:
$ openssl x509 -inform der -in deviceCertAndCACert.der -text –noout

Only the first certificate is visible.

It is important to note that those certificates run okay in a Linux machine, e.g., without the participation of the CC3100.

- They used the first command from the Ubuntu/mosquitto MQTT client and it successfully triggered the IoT registration rule. So linux/mosquitto/openssl must know how to transmit the chain in the der format, while the CC3100 seems to have an issue.

Summarizing, when loading the deviceCertAndCACert.der file (generated from the commands above) into the serial flash, the CC3100 fails to connect to the host/create in the SSL session. AWS support confirms the suspicion of a problem with the CC3100.

Can you please share your ideas?

Thank you!

over 9 years ago

0 Benjamin Moore over 9 years ago

TI__Mastermind 30870 points

Hi Lenio,

Thank you for the detailed description. I'm looping in one of our team members to help address this post. I expect we will have an update on Monday.

Best Regards,
Ben

0 Steven Connell over 9 years ago in reply to Benjamin Moore

TI__Mastermind 45025 points

I'm not familiar with this OpenSSL tool that they are using.

Has the customer tried using the cert flasher application that's included with the SDK?

In this app, they copy the contents of the pem files into 3 different C arrays. The app then does this conversion to der and flashes the certs.

Steve

0 Sarah P over 9 years ago in reply to Steven Connell

TI__Mastermind 38980 points

Follow up from customer:

"Hi Steve,

I'm the customer that Lenio posted this question for and noticed that you have worked on the AWS IoT SDK CC3200 port (which is what I've based my CC3100 port on).

Any more information regarding using a pem formatted client cert chain in the CC3100? Please refer to the AWS blog link for the exact instructions I followed:

aws.amazon.com/.../"

0 Steven Connell over 9 years ago in reply to Sarah P

TI__Mastermind 45025 points

Unfortunately, the CC3100 does not support chained certs.

Steve

Processors

Processors forum

CC3100 - AWS certificates