Use x509 certificates for MQTT communication in ESP IDF [closed]

I have an application where I need to connect to a third party cloud via MQTT. For this, the third party has given a process for certificate generation as follows (The process is to be done on Linux): Generate a CSR (Certificate Signing Request) with SubjectAltName (SAN) extension. Prepare a 'req.cnf' file for this. The format of this file is as follows- distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN) [ req_ext ] subjectAltName = @alt_names [alt_names] URI.1= Run the following command. This will generate a placeholder.csr and a private.key - openssl req -out placeholder.csr -newkey rsa:2048 -nodes -keyout private.key -config req.cnf The third party gives a 'ca.crt' file which is the public key certificate. Run the command below with this and above csr file. This process is to get the certificate signed by the third party - curl -o placeholder.crt -F csrFile=@placeholder.csr --cacert $CERT_HOME/ca.crt https://CADomainName/getCert I took these files and hardcoded them as strings in the ESP-IDF code as follows: void mqtt_app_start(void) { const esp_mqtt_client_config_t mqtt_cfg = { .broker = { .address.uri = "mqtts://sample.domain.name", .verification.certificate = (const char *)ca_cert }, .credentials = { .authentication.certificate = (const char *)signed_crt, .authentication.key = (const char *)client_key_pem }, }; The 'ca_cert' is the public key. 'signed_cert' is the placeholder.crt generated after signing. 'client_key_pm' is the private key. The placeholder.crt and private key had metadata which I removed and only kept the -----BEGIN CERTIFICATE---- . . . . -----END CERTIFICATE------ I am getting this error when I run the code: E (3632) mqtt_client: esp_mqtt_handle_transport_read_error: transport_read(): EOF E (3632) mqtt_client: esp_mqtt_handle_transport_read_error: transport_read() error: errno=119 I (3642) mqtt: MQTT_EVENT_ERROR I (3642) mqtt: Last error code reported from esp-tls: 0x8008 I (3652) mqtt: Last tls stack error number: 0x0 I (3652) mqtt: Last captured errno : 0 (Success) E (3662) mqtt_client: esp_mqtt_connect: mqtt_message_receive() returned -2 E (3672) mqtt_client: MQTT connect failed I (3672) mqtt: MQTT_EVENT_DISCONNECTED What can be the error in this?

Feb 5, 2025 - 09:44
 0
Use x509 certificates for MQTT communication in ESP IDF [closed]

I have an application where I need to connect to a third party cloud via MQTT. For this, the third party has given a process for certificate generation as follows (The process is to be done on Linux):

  1. Generate a CSR (Certificate Signing Request) with SubjectAltName (SAN) extension. Prepare a 'req.cnf' file for this. The format of this file is as follows-
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
URI.1=
  1. Run the following command. This will generate a placeholder.csr and a private.key -

openssl req -out placeholder.csr -newkey rsa:2048 -nodes -keyout private.key -config req.cnf

  1. The third party gives a 'ca.crt' file which is the public key certificate. Run the command below with this and above csr file. This process is to get the certificate signed by the third party -

curl -o placeholder.crt -F csrFile=@placeholder.csr --cacert $CERT_HOME/ca.crt https://CADomainName/getCert

I took these files and hardcoded them as strings in the ESP-IDF code as follows:

void mqtt_app_start(void) {
    const esp_mqtt_client_config_t mqtt_cfg = {
        .broker = {
            .address.uri = "mqtts://sample.domain.name",
            .verification.certificate = (const char *)ca_cert
        },
        .credentials = {
            .authentication.certificate = (const char *)signed_crt,
            .authentication.key = (const char *)client_key_pem
        },
    };

The 'ca_cert' is the public key. 'signed_cert' is the placeholder.crt generated after signing. 'client_key_pm' is the private key. The placeholder.crt and private key had metadata which I removed and only kept the

-----BEGIN CERTIFICATE----
.
.
.
.
-----END CERTIFICATE------

I am getting this error when I run the code:

E (3632) mqtt_client: esp_mqtt_handle_transport_read_error: transport_read(): EOF
E (3632) mqtt_client: esp_mqtt_handle_transport_read_error: transport_read() error: errno=119
I (3642) mqtt: MQTT_EVENT_ERROR
I (3642) mqtt: Last error code reported from esp-tls: 0x8008
I (3652) mqtt: Last tls stack error number: 0x0
I (3652) mqtt: Last captured errno : 0 (Success)
E (3662) mqtt_client: esp_mqtt_connect: mqtt_message_receive() returned -2
E (3672) mqtt_client: MQTT connect failed
I (3672) mqtt: MQTT_EVENT_DISCONNECTED

What can be the error in this?