I'm trying to connect to Mosquitto Broker from an STM32 Azure RTOS environment using certificates that work from Paho MQTT clients

My program, linked with Paho SDK C library, works fine connecting to a UNIX-hosted Mosquitto MQTT Broker. The required SSL/TLS connection involved self-signed certificate generation. Those same client certificate sets work with "MQTT Explorer" and MQTT-spy. The 3 required certificates in each client-set are:

1. Server Certificate (CA),
2. Client Certificate, and
3. Client Key

they are generated using OpenSSL from the terminal and are all in PEM (text) x509 format and constitute the minimum certificate info. that must be built-in and handled by each client. The program I'm developing talks to my Mosquitto Broker configured with:

• listener 8883
• cafile ...path to.../ca.crt
• certfile ...path to.../broker.crt
• keyfile ...path.../broker.key
• require_certificate true
• use_identity_as_username true

Quite straight forward with Paho SDK. Clients connected - All working great!

I need to get this client program working on an STM32 board. I have ST.com MQTT example code running against mosquitto.org's test broker. I implemented a Mosquitto Broker on my LAN, to which all my Paho SDK programs connect, but the converted MQTT example code does not. (The Azure SDK is horribly complicated). I had my STM32 board client-program working with anonymous access over SSL/TLS with one certificate installed.

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)ca_crt_der, sizeof(ca_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 
(returns TX_SUCCESS here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);
 
(returns TX_SUCCESS here too)

That only introduces one of the 3 required certificates, with the PEM/x509 format converted to a C header hex-code array using:

openssl base64 -d -in ../ca/ca.crt -out ca.crt.der
xxd -i ca.crt.der > ca.crt.der.h

I cannot figure out how to properly extend this certificate introduction code to include all three (required) certificates needed for SSL/TLS connections.

I have tried adding one more "initialize"/"add" block:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr (UCHAR *)client_crt_der, sizeof(client_crt_der), NX_NULL, 0, (UCHAR *)client_key_der, sizeof(client_key_der), NX_SECURE_X509_KEY_TYPE_EC_DER);
 
(Returns fail (0x18a) here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

here, the client_key_der was produced using:

openssl ec -inform pem -in client.key -outform der -out client.key.der
xxd -i client.key.der > client.key.der.h

I've also tried 3 separate "initialize"/"add" blocks without treating the client.key info as a different info-type i.e., the initial ca_crt_der (above) followed by these two "initialize"/"add" blocks:

nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_crt_der, (USHORT)sizeof(client_crt_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
 
(returns TX_SUCCESS here)
 
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);
 
(Returns fail (0x4d) here)
 
nx_secure_x509_certificate_initialize(trusted_certificate_ptr, (UCHAR*)client_key_der, (USHORT)sizeof(client_key_der), NX_NULL, 0, NULL, 0, NX_SECURE_X509_KEY_TYPE_NONE);
nx_secure_tls_trusted_certificate_add(TLS_session_ptr, trusted_certificate_ptr);

I have no idea where to go from here. The Microsoft documentation does not seem to indicate how I should integrate the additional certificates. Do I need to create more space? Am I OK reusing the TLS_session_ptr and trusted_certificate_ptr structures, i.e. does the nx_secure_tls_trusted_certificate_add() copy the passed structure data or should I allocate new structure space? What else do I need to try?

I'm fumbling around like I'm flying a helicopter in the fog

Any help would be appreciated.