cancel
Showing results for 
Search instead for 
Did you mean: 

URGENT: X-CUBE-GCP The certificate is not correctly signed by the trusted CA issue

PDutt.2
Associate II

Hi, Before posting this question, I did enough testing and understand the concept of certificate verification process. I am stuck with this issue since last one week and couldn't understand the associated route cause.

0693W000007BfRrQAK.jpgPlease help me resolve this issue. Requesting some ST core engineer to look into it.

1 ACCEPTED SOLUTION

Accepted Solutions
PDutt.2
Associate II

As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

  1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
  2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

$ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

I copy-pasted the certifcates one after other and it worked.

View solution in original post

1 REPLY 1
PDutt.2
Associate II

As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

  1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
  2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

$ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

I copy-pasted the certifcates one after other and it worked.