I can imagine this question has risen before but I think those post got buried to deep.
I’m having some trouble with configuring the certificate for an embedded device connected with azure iot hub. I’m assuming I just make some mistake in my logic so this shouldn’t be platform related.
De server i am connecting to has a chain of 3 certificates. (A, B, C). A is the CA and C is the certificate of the Azure server.
As I understand it, I have to provide certificate B in order to check the validity of certificate C. This is the way I implemented it and it looked like it worked great. However, certificate C’s issuer has changed a few times last week. Is this normal? I know the certificates were valid for at least another few years. but the chain changed for some reason. the CN of the B certificates were similar but slightly different…
Or am I doing this all wrong and should I just provide certificate A?
I tried to do this, but I get an error MBEDTLS_ERR_OID_NOT_FOUND. (haven’t looked into it yet)
i’m just using the functions mbedtls_x509_crt_parse and mbedtls_ssl_conf_ca_chain
any knowledge on the subject is appreciated!
thanks in advance
@zakmetmoes
Thank you for your question
From your description, I understand the following:
A - ca root certificate
B - intermediate certificate ( whether with or without CA basic constraints)
C - server certificate
Does the server send the full chain in the certificate message? If so, you can set either A or B in mbedtls_ssl_conf_ca_chain ( as long as B has the CA=true basic constraints). However, from your description, it seems that the server changed the chain, starting from the intermediate certificate, so you should probably set A as the trusted root certificate.
As for the MBEDTLS_ERR_OID_NOT_FOUND error, it is probably a missing configuration. A is probably signed with an algorithm that is not defined in your configuration, whether it is the signature algorithm or the hash algorithm.
Ron, can you clarify what you mean by “server send the full chain”? What I have seen from the Wireshark is that the server in my case only sends C and B. I only need to have the A in my code and mbedTLS works. Are you saying alternatively I could have the B in my code without the A as long as B’s subject type is CA?
I don’t know if the server sends te full certificate, but i’ll find out.
the probability of a missing configuration is also probable, i stripped mbedtls from a lot of algorithms.
Thanks for pointing me in the right direction!!
Regards,
Jeroen
edit:
you were right about the MBEDTLS_ERR_OID_NOT_FOUND. I added support for RSA1 (which is used for the CA root certificate) and everything works fine now:) thanks for the help;)
Are you saying alternatively I could have the B in my code without the A as long as B’s subject type is CA?
As long as it has Basic Constraints CA=true, and you trust this CA, you can set it as a trusted root certificate.
Sometimes, servers send the full chain ( A + B + C ).
Note that if you don’t trust entity of the intermediate certificate ( B), you shouldn’t set it as a trusted root certificate.
However, it is better to set A as the trusted root certificate, as it is the CA root certificate.
Regards,
Ron
