cancel
Showing results for 
Search instead for 
Did you mean: 

URGENT: X-CUBE-GCP The certificate is not correctly signed by the trusted CA issue

PDutt.2
Associate II

Hi, Before posting this question, I did enough testing and understand the concept of certificate verification process. I am stuck with this issue since last one week and couldn't understand the associated route cause.

0693W000007BfRrQAK.jpgPlease help me resolve this issue. Requesting some ST core engineer to look into it.

This discussion is locked. Please start a new topic to ask your question.
1 ACCEPTED SOLUTION

Accepted Solutions
PDutt.2
Associate II

As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

  1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
  2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

$ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

I copy-pasted the certifcates one after other and it worked.

View solution in original post

1 REPLY 1
PDutt.2
Associate II

As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

  1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
  2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

$ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

I copy-pasted the certifcates one after other and it worked.