Gemalto is now part of the Thales Group, find out more.

You are here

AWS IoT MQTT Certificate failed verification | Thales IoT Developer Community

hhaneh@gmail.com

January 3, 2020 - 11:48am, 573 views

Hi,

Just to add on further on the question.

My JAVA version is Cinterion,EHS6,Rev 03.001, A-Rev 00.000.51. 

AT^SJMSEC? = 1,1,1,1

I'm using AWS IOT One click to generate all the certificates.

I download the rootCA from AWS (https://docs.aws.amazon.com/iot/latest/developerguide/server-authenticat...

Below were the CA certs that i tested out.

1.VeriSign Endpoints (legacy) RSA 2048 bit key

2. RSA 2048 bit key: Amazon Root CA 1

3. Starfield Root CA Certificate

4. Cross-signed Amazon Root CA 1

I have double check with the python SDK program and OpenSSL conneciton. 

openssl s_client -connect a2px87lo8v4uea.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key

openssl s_client -connect a2px87lo8v4uea-ats.iot.us-west-2.amazonaws.com:8443 -CAfile SFSRootCAG2.pem -cert 1certificate.pem.crt -key private.pem.key

Below were the findings: 

Test for endpoint with ats (Python SDK, OpenSSL)

The success CA cert will as below

1. RSA 2048 bit key: Amazon Root CA 1

2. Starfield Root CA Certificate

Test for endpoint without ats (Python SDK, OpenSSL)

The success CA cert will as below

1. VeriSign Endpoints (legacy) RSA 2048 bit key

With that, i proceed to test with midlet program and i was able to make connection only on endpoint without ATS and VeriSign Endpoints Cert. 

I was able to connected to server, published the message, the strange part is i never see it at the server. If i'm using Python to endpoint without ATS , i was able to see the message. 

If i use the Amazon Root CA 1 or Starfield Root CA Certificate, i wasn't able to have successful connection at all. 

Each time when i try to replace the cert, i get the command code 

java -jar jseccmd.jar -cmd DelAllHttpsCertificatesUntrusted > DelAllHttpsCertificatesUntrusted.txt

So i run this cmd code, AT^SJMSEC="cmd","060091000000" , then i restart the terminal and reinstall  the cert again. 

Appreciate if someone could give some advise on this.