NetXDuo Secure X509 TLS Certificate not parsing

Chris_GHSquared · ‎2023-07-27

Hi, I'm having issues getting self-signed certificates to work with NetXDuo Secure.

I started with the MQTT Secure Example which uses a mosquitto.org certificate and that works fine. However if I try to replace the mosquitto certificate with my own generated using OpenSSL, it's not accepted and nx_secure_x509_certificate_initialize returns invalid. Digging further into the source code, the actual error is in _nx_secure_x509_extract_oid_data which returns NX_SECURE_X509_FOUND_NON_ZERO_PADDING when extracting the RSA Bitstream.

Comparing my own certificates with the mosquitto.org one doesn't give any obvious clues and I don't know enough about the structure of binary DER encoded certificates to delve any deeper at the moment.

Does anyone have a 'known good' set of OpenSSL commands which generates a certificate which will parse successfully in NetXDuo please?

Haithem Rahmani · ‎2023-08-14

Hi @Chris_GHSquared ,

Could you try the command:

$> openssl rsautl -encrypt -raw ...

According to the openssl documentation the '-raw' option allows generation of the certificates without padding.

regards

Chris_GHSquared · ‎2023-08-15

Hi,

Thank you for your reply, I have been looking through all the openssl documentation and had found some references to padding but none of them seem to be applicable to the commands I'm using to generate a certificate. The process I'm using is:

#Generate key (-traditional forces PKCS#1, no encryption, I have also tried with -des3 and without the -traditional with same results)
openssl genrsa -traditional -out mqtt.key 2048

#Create CSR
openssl req -key mqtt.key -new -out mqtt.csr

# Create self-signed certificate
openssl x509 -signkey mqtt.key -in mqtt.csr -req -days 365 -out mqtt.crt

#Output in DER format
openssl x509 -in mqtt.crt -outform der -out mqtt.der

It is of course possible that I'm creating entirely the wrong type of certificate for the application.