|
|
Post by fburghub on Jul 19, 2022 13:56:06 GMT
Hello Guys,
I want to establish a MQTT connection to an Azure IoT-Hub with a client Certificate and a client Key. The certificates are present on the module for sure because I can read them out:
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
.
.
.
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
However when I want to configure the certificates to be used by MQTT, I get the following error:
---> AT+CSSLCFG="convert",2,"rootCa.crt"
<--- OK
---> AT+CSSLCFG="convert",1,"clientcert.crt","clientkey.crt"
<--- +CME ERROR: operation not allowed //this response
---> AT+SMSSL=1,"rootCa.crt","clientcert.crt"
<--- OK
I don't know what to do, since the same certificates do work over Wifi.
I hope someone could help me out.
Thanks in advance Florian
|
|
tron
Newbie
Posts: 7
|
Post by tron on Feb 3, 2024 15:11:25 GMT
Too bad I'm having the same issue, or so it seems.
In the code you pasted you entered the cert twice, but I guess that's just a typo ?
|
|
|
|
Post by aryanbeta2003 on Feb 5, 2024 15:13:13 GMT
I have the same problem for embarking AWS cert and private key on sim7000!
I don't know how to solve this!
|
|
tron
Newbie
Posts: 7
|
Post by tron on Feb 6, 2024 20:47:59 GMT
Good for you I found one issue then  In my case, after much digging (and using EFS to make my life easier) I found that the private key file has to be in "traditional" format. Look for that in google and you'll see that the format changed in openssl 3. You need to convert to traditional (evidenced by the "PRIVATE RSA KEY" header) for it to work. You may also need certificate extensions for it to work. I was lucky to find an AWS IOT client cert that worked, and went from there.
|
|
|
|
Post by aryanbeta2003 on Feb 7, 2024 10:34:38 GMT
Hi Tron,
Thanks for reply. This stuff got me a lot of time, so I have to convert peivate.key and clientcert.crt both to traditional format (RSA HEADER)?
clientcert is already started with -----BEGIN CERTIFICATE-----, I change the private.key (with this command: openssl rsa -in private.key -out private.pem) and now the header is become like this: -----BEGIN PRIVATE KEY----- .
The question is should load private/clientcert in sim7000 in .key or in .pem?
Regards.
|
|
tron
Newbie
Posts: 7
|
Post by tron on Feb 7, 2024 10:41:37 GMT
The header for keys in traditional format is ---- BEGIN RSA PRIVATE KEY ----.
It's not the file extension what is important, you need the -traditional option for the openssl command, like:
openssl rsa -in private.key -out private-rsa.key -traditional
That, and I don't know for sure but you may also need cert extensions.
|
|
|
|
Post by aryanbeta2003 on Feb 7, 2024 11:48:09 GMT
I ran "openssl rsa -in private.key -out private-rsa.key -traditional", however the outcome was the same (At command convert 1). The private.key and the private-rsa.key exactly like each other (when I open it via text editor).
the header of the current private.key is already like: -----BEGIN RSA PRIVATE KEY-----
Im a little bit confused.
|
|
tron
Newbie
Posts: 7
|
Post by tron on Feb 7, 2024 12:02:47 GMT
Well, I don't want to be rude but before you said the header was "BEGIN PRIVATE KEY", so if now is "BEGIN RSA PRIVATE KEY" they are not the same.
As I said, I was lucky to find an AWS IOT cert that worked, and slowly was finding the little details that made the module reject my certificates. I can only advise you to follow the same path...
|
|
|
|
Post by aryanbeta2003 on Feb 7, 2024 12:21:51 GMT
I think it was misunderstanding, BTW I didn't know we can do modify the certs and private key, I learned it today from you.
I'm going to try to embark em and convert em to initial the AWS IoT MQTTS and let you know what's the issue.
|
|
tron
Newbie
Posts: 7
|
Post by tron on Feb 7, 2024 12:40:34 GMT
Well, you need to learn the basics then. Find out what a certificate is. If you follow procedures w/o knowing what you are doing... sometimes will work.
|
|
