• State Resolved
  • Locked Locked
  • Replies 6 replies
  • Subscribers 40 subscribers
  • Views 1082 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC3220SF-LAUNCHXL: Obtain and Program MQTT SSL certificate

TomTurbo
Intellectual 270 points
Part Number: CC3220SF-LAUNCHXL
Other Parts Discussed in Thread: UNIFLASH

Hello,

I am following the mqtt_client example and can establish a working MQTT connection to iot.eclipse.org. For enabling a secured connection, the readme says:

Secured socket
In order to activate the secured example, SECURE_CLIENT must be defined ( certificates should be programmed ).

I already know that I need to place it in {"ca-cert.pem"} using Uniflash, but where do I get / download the correct certificate?

Thanks, 
Thomas

  • 0
    TI__Mastermind 40965 points
    Hi Tom,

    In this post here, I explain how to use your CC3220 to determine the correct root CA to use, and how to get it from your own PC:
    e2e.ti.com/.../2478357

    Do note that the certificate that is correct in that particular example for IBM Watson is most likely not correct for iot.eclipse.org, and so you will need to run through the steps to determine and procure the right certificate for iot.eclipse.org.

    Regards,
    Michael
  • 0 in reply to Michael Reymond
    Intellectual 270 points
    Hi Michael,

    thanks!
    It seems iot.eclipse.org uses let's encrypt on their site, so i followed the path to the root CA and generated the file from DST ROOT CA X3.
    Now I get an SL_ERROR_BSD_ESECUNKNOWNROOTCA error on my side. Any ideas?

    Best regards,
    Thomas
  • 0 in reply to TomTurbo
    TI__Mastermind 40965 points

    Hi Thomas,

    The SL_ERROR_BSD_ESECUNKNOWNROOTCA error is actually just a warning, indicating that the network processor could not verify the root CA you provided as a trusted root CA in its catalog. However, the socket is actually still successfully connected if you get that error, so you can just add a lRetVal!=SL_ERROR_BSD_ESECUNKNOWNROOTCA check when you connect to ignore the error.

    You cannot get rid of that error as long as you are developing with the dummy certificate playground files. This is because the certificate playground's catalog of root CAs purposely only includes the dummy-root-ca-cert as a trusted root CA as a safeguard against using the playground for production purposes.

    Add that check to ignore the error, and you should be able to move forward with your AWS connection.

    Regards,
    Michael

  • 0 in reply to Michael Reymond
    Intellectual 270 points
    Hi Michael,
    oh great thanks!
    Thomas
  • 0 in reply to TomTurbo
    Intellectual 270 points

    Hi Michael,

    I ignored the error message now, but still get this output:

    --C: Net -468, no RX MSG in reasonable time

    which could come from client_core.c, singleCtxKaSequence(). Should I also change this function or is there a different problem?

    Edit: MQTTCLIENT_NETCONN_SKIP_CERTIFICATE_CATALOG_VERIFICATION helps. Is it required during development?


    Thanks,
    Thomas

  • 0 in reply to TomTurbo
    TI__Mastermind 40965 points
    Hi Thomas,

    Yes, that is required for the same reasons as I outlined in my post above.

    Regards,
    Michael