Help needed with standard simple certificates

I can imagine this question has risen before but I think those post got buried to deep.

I’m having some trouble with configuring the certificate for an embedded device connected with azure iot hub. I’m assuming I just make some mistake in my logic so this shouldn’t be platform related.

De server i am connecting to has a chain of 3 certificates. (A, B, C). A is the CA and C is the certificate of the Azure server.

As I understand it, I have to provide certificate B in order to check the validity of certificate C. This is the way I implemented it and it looked like it worked great. However, certificate C’s issuer has changed a few times last week. Is this normal? I know the certificates were valid for at least another few years. but the chain changed for some reason. the CN of the B certificates were similar but slightly different…

Or am I doing this all wrong and should I just provide certificate A?
I tried to do this, but I get an error MBEDTLS_ERR_OID_NOT_FOUND. (haven’t looked into it yet)

i’m just using the functions mbedtls_x509_crt_parse and mbedtls_ssl_conf_ca_chain

any knowledge on the subject is appreciated!
thanks in advance

Thank you for your question
From your description, I understand the following:
A - ca root certificate
B - intermediate certificate ( whether with or without CA basic constraints)
C - server certificate

Does the server send the full chain in the certificate message? If so, you can set either A or B in mbedtls_ssl_conf_ca_chain ( as long as B has the CA=true basic constraints). However, from your description, it seems that the server changed the chain, starting from the intermediate certificate, so you should probably set A as the trusted root certificate.

As for the MBEDTLS_ERR_OID_NOT_FOUND error, it is probably a missing configuration. A is probably signed with an algorithm that is not defined in your configuration, whether it is the signature algorithm or the hash algorithm.

Mbed TLS Team member

1 Like

Ron, can you clarify what you mean by “server send the full chain”? What I have seen from the Wireshark is that the server in my case only sends C and B. I only need to have the A in my code and mbedTLS works. Are you saying alternatively I could have the B in my code without the A as long as B’s subject type is CA?

Thank you for your response!

I don’t know if the server sends te full certificate, but i’ll find out.
the probability of a missing configuration is also probable, i stripped mbedtls from a lot of algorithms.

Thanks for pointing me in the right direction!!



you were right about the MBEDTLS_ERR_OID_NOT_FOUND. I added support for RSA1 (which is used for the CA root certificate) and everything works fine now:) thanks for the help;)


Are you saying alternatively I could have the B in my code without the A as long as B’s subject type is CA?

As long as it has Basic Constraints CA=true, and you trust this CA, you can set it as a trusted root certificate.
Sometimes, servers send the full chain ( A + B + C ).
Note that if you don’t trust entity of the intermediate certificate ( B), you shouldn’t set it as a trusted root certificate.
However, it is better to set A as the trusted root certificate, as it is the CA root certificate.