Arm Mbed and Pelion Device Management support forum

mbedTLS SSL handshake ca certificate configuration

Hello,
I’m trying to make a secure connection between the server and the client.
The host name is :qa.iot1.homecloud.honeywell.com.cn
and client has 2 ca certificate:
HoneywellQAProductPKI.pem the ca certificate
SharedQACA.pem the middle ca certificate

and device certificate is ClientCert.pem.

I don’t know how to set certifcate chain,and now i only set the root ca cetficate by:ca_file=/system/etc/security/cacerts/HoneywellQAProductPKI.pem
When i set opt.auth_mode = MBEDTLS_SSL_VERIFY_OPTIONAL,the error is :
Last error was: -0x4E00 - ECP - The signature is not valid,in tls handshake “BEDTLS_SSL_SERVER_KEY_EXCHANGE”.

when i set opt.auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED,the error is:
Unable to verify the server’s certificate. Either it is invalid, or you didn’t set ca_file or ca_path to an appropriate value, in tls handshake “MBEDTLS_SSL_SERVER_CERTIFICATE”.

How to call the api to config 2 ca files?
I don’t know if the reason is the ca file error configuration.

Thanks,

HoneywellQAProductPKI.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
15:f2:ff:b7:95:f8:e9:14
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Validity
Not Before: Sep 9 00:19:31 2016 GMT
Not After : Dec 30 23:58:59 9999 GMT
Subject: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:eb:68:5f:56:99:ed:a1:cf:cf:77:32:aa:1c:9b:
9d:e3:1b:a3:d3:96:cb:4e:63:36:d8:da:1d:d0:79:
cf:34:39:28:ca:e7:48:c2:db:40:dd:78:5e:f4:86:
ff:86:8d:73:ce:32:ef:bc:40:c0:ea:98:67:2d:bc:
99:df:b7:32:bd
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
     30:46:02:21:00:92:09:14:ea:29:dd:61:1a:45:94:b1:88:f8:
     18:63:47:e6:87:f3:e3:db:aa:38:0d:b4:51:91:fb:18:6e:d5:
     96:02:21:00:b5:16:68:a2:91:f3:61:11:1f:c8:84:1f:ff:6b:
     a0:51:b2:27:3c:2d:18:90:90:98:d0:2a:57:cc:0b:31:c1:4f

SharedQACA.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4f:e7:64:6f:84:c6:3e:42
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., CN=Honeywell QA Product PKI
Validity
Not Before: Sep 9 00:37:14 2016 GMT
Not After : Feb 1 00:00:00 9999 GMT
Subject: C=US, O=Honeywell International Inc., OU=ACS, CN=Shared QA CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e0:47:a6:aa:d2:b6:a7:f1:4b:1e:90:a6:4d:23:
12:63:8b:66:62:80:f6:3e:36:20:67:5e:c2:30:6b:
c9:64:75:ab:b0:96:48:a3:c6:85:70:e0:ff:e1:4b:
70:83:6e:da:c2:8d:04:c2:97:91:eb:e8:08:34:fc:
bc:9d:4b:e3:4a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
8A:0A:3B:1D:70:6A:49:09:37:6F:8D:00:C5:DF:21:A8:45:6F:AE:0D
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
keyid:BF:E6:A5:DC:D3:F4:5E:D8:7B:21:1E:B2:AE:41:A9:85:D0:AA:CF:DC

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://qhppki.honeywell.com/crl/HoneywellQARoot.crl

        X509v3 Key Usage: critical
            Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:21:00:9a:7b:65:b0:c9:b6:b5:8f:30:de:30:2d:18:
     e3:f3:e4:47:83:75:70:1c:4e:1f:21:3b:4f:3c:a7:ae:18:ce:
     8e:02:20:64:6f:a6:69:6e:aa:58:30:c5:72:32:9e:5b:a9:7e:
     2d:34:cc:0c:73:e1:15:16:09:39:7f:12:16:72:ba:25:7f

ClientCert.pem content:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3e:51:6a:9e:77:08:40:b3
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Honeywell International Inc., OU=ACS, CN=Shared QA CA
Validity
Not Before: Dec 7 03:45:55 2018 GMT
Not After : Feb 1 00:00:00 9999 GMT
Subject: C=US, O=Honeywell International Inc., OU=HBT, CN=cube-c 001f55000829
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:f4:d1:02:23:de:7b:14:6a:a4:71:26:ff:50:4d:
41:72:d9:07:07:5c:51:e4:f7:9a:13:60:34:c1:f4:
16:33:51:72:37:6c:94:93:0c:4a:c6:0e:41:5b:1e:
cf:50:47:73:78:fa:01:c7:1b:7f:ec:25:c1:e4:42:
da:1d:af:e4:3d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:8A:0A:3B:1D:70:6A:49:09:37:6F:8D:00:C5:DF:21:A8:45:6F:AE:0D

        Authority Information Access:
            OCSP - URI:http://qhppki.honeywell.com/ocsp

        X509v3 Certificate Policies:
            Policy: 1.3.6.1.4.1.20998.2.1.1.1
              CPS: https://qhppki.honeywell.com/cps

        X509v3 Extended Key Usage: critical
            TLS Web Server Authentication, TLS Web Client Authentication
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://qhppki.honeywell.com/crl/SharedQACA2.crl

        X509v3 Subject Key Identifier:
            D1:00:D3:CF:6C:4E:6C:55:CA:B8:48:4F:DC:49:75:89:AC:62:FC:CB
        X509v3 Key Usage: critical
            Digital Signature
Signature Algorithm: ecdsa-with-SHA256
     30:45:02:20:5e:8d:cb:76:88:98:1b:5f:90:55:6e:49:26:f0:
     55:c4:ac:48:59:ec:17:74:14:4a:26:c4:fc:ee:3e:71:8d:60:
     02:21:00:e5:97:ca:ba:8c:57:68:0d:66:58:c9:fa:35:19:e7:
     87:6c:24:cb:08:68:16:ca:b8:03:ef:8a:0b:ba:be:44:1a

Hi @sg0993
I have tried connecting to qa.iot1.homecloud.honeywell.com.cn and the server is sending a certificate signed by digicert.
This means you should set digicert as the trusted CA for the server.
As for setting the client certificate, you should call mbedtls_ssl_conf_own_cert() with your client certificate and your client private key.
It is safe assume that your client is signed by a CA trusted by your server (honeywell), and that your server will accept your certificate.
Please try setting the digicert certificate as the trusted root CA, and update with results.

As for setting several CA certificates, you can just concatenate all the PEM certificates into a single file.
Regsards,
Mbed Support
Ron