Other Parts Discussed in Thread: CC3235SF, UNIFLASH
Hi,
I am using CC3235SF Dev Kit to connect to our Cloud. I am using AT command library provided by TI to send MQTT AT commands to the server.
Our Cloud MQTT server has been using DST Root CA X3 as the certificate so far. I have been able to connect to the MQTT server securely using the AT commands and providing the DST Root CA X3.pem for CA file name in the AT command.
Since DST Root CA X3 has expired on 30 Sept, the Cloud server is now using the certificate ISRG Root X1. So, I saved ISRG Root X1 (isrg_root_x1.pem) in the TI3235SF file system using Uniflash.
Now, in the AT command, when I use isrg_root_x1.pem as CA file name, and issue an MQTT connect command, I get an error "Wrong Root CA". It gives an error code of -688 which is "ASN no signer to confirm failure".
I am not validating the certificate against the certificate store in the flash. The certstore.lst, I think does not contain the ISRG Root X1 certificate. In any case, since I am not validating against the cert store, in the AT command, I have set it to skip_cert_verify in the AT command.
The AT commands I am using is
------------------------------------------------------------------------------------------------------------
AT+MqttCreate=123,url|sec|skip_date_verify|skip_domain_verify|skip_cert_verify,server_name,8883,SSLV3_TLSV1_2,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,,,isrg_root_x1.pem,,v3_1_1,1,1
AT commands to set username and password
AT+MQTTConnect=0 /* This fails with the above mentioned error and says Wrong Root CA */
------------------------------------------------------------------------------------------------------------
When I connect to the MQTT broker using mosquitto, I am able to connect with the same isrg_root_x1.pem certificate. If I use the command below, it works fine.
mosquitto_sub -h "server_name" -t "topic" -p 8883 --cafile isrg_root_x1.pem -u "user" -P "pw"
What could be the issue why the CC3235SF is not able to MQTT connect to the server using the new certificate?
Thanks for your help.
Regards,
Subramanyan