Page 1 of 1

Which X.509 certificate to use for NodeMCU SSL connections?

PostPosted: Tue Oct 01, 2019 10:16 am
by GeoReb
Wow, SSL authentication is overwhelming! :shock:

I am using NodeMCU to connect to a Microsoft Azure IoT Hub securely using the MQTT protocol.

Microsoft offer the ability to authorise clients using self-signed X.509 certificates.

This is explained in detail here: https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started

I have followed the example that Microsoft Azure give, using OpenSSL to generate my self-signed X.509 certificates.

I try the example Python script to test the connection as a client, using my new certs and this works very well. So I know that the process has been a success, as it is tested and working and I am able to publish and subscribe to my IoT Hub.

In order to get the NodeMCU device connecting as a client to the IoT Hub, I need to load a certificate for authentication. NodeMCU provides the facility to load a single CA Certificate (in PEM format) into the operating system.

This is documented here: https://nodemcu.readthedocs.io/en/master/modules/tls/#tlscertverify

The question is, which certificate should I use?

The encouraging news is that NodeMCU recognises the certificates as X.509 certs but fails on the verification. So this leads me to believe that I have the incorrect cert loaded...

Certificate verification failed, e.g. CRL, CA or signature check failed.

I have tried a handful of combinations from the OpenSSL output, but none appear to result in a successful handshake. I am poking and hoping at this stage and could do with some input from someone who knows their stuff.

Re: Which X.509 certificate to use for NodeMCU SSL connectio

PostPosted: Tue Oct 01, 2019 10:31 am
by marcelstoer
Are you maybe mixing things up? tls.cert.verify() expects a server certificate to which the chain presented by the server during handshake is compared (see docs for the 'pemdata' parameter). To my knowledge NodeMCU doesn't support mutual TLS with client certificates.

Re: Which X.509 certificate to use for NodeMCU SSL connectio

PostPosted: Wed Oct 02, 2019 8:41 am
by GeoReb

Yes, I can see that from the docs, it allows a CA cert...
However, the Microsoft docs (https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-security-x509-get-started#authenticate-your-x509-device-with-the-x509-certificates) says that is exactly what I should be using...

To authenticate your X.509 device, you need to first sign the device with the CA certificate.

Re: Which X.509 certificate to use for NodeMCU SSL connectio

PostPosted: Sat Oct 05, 2019 4:45 pm
by torntrousers
Maybe the DigiCert Baltimore Root Certificate from here: https://docs.microsoft.com/en-us/azure/ ... figuration?