Error: X509 - Signature Algorithm (OID) is Unsupported in mbed TLS 2.16.2 During Azure MQTT Connection

I’m currently using mbed TLS 2.16.2 on an STM32F407G microcontroller with a SIM7600G GSM module to connect to an Azure MQTT broker over a GSM network. During the certificate parsing, I’m encountering the following error:

"X509 - Signature algorithm (oid) is unsupported : OID - OID is not found"

• The STM32F407G is successfully initialized and connected to the GSM network via the SIM7600G.
• The device obtains an IP address and the connection to the Azure MQTT broker is established.
• However, when mbed TLS tries to parse the root certificate, it fails due to an unsupported or unrecognized signature algorithm in the certificate.

• I’ve ensured that mbed TLS has the correct configuration options enabled for RSA and SHA256 support in config.h (such as #define MBEDTLS_RSA_C, #define MBEDTLS_X509_RSASSA_PKCS1_V1_5, and #define MBEDTLS_SHA256_C).
• The broker’s certificate is from a trusted authority (DigiCert Global Root G2).
• I’ve checked if mbed TLS supports the signature algorithm used by the certificate but haven’t had any luck resolving the issue.
  
  

const char mbedtls_root_certificate[] = "-----BEGIN CERTIFICATE-----\r\n"
 "MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh\r\n"
 "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\r\n"
 "d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH\r\n"
 "MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT\r\n"
 "MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\r\n"
 "b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG\r\n"
 "9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI\r\n"
 "2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx\r\n"
 "1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ\r\n"
 "q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz\r\n"
 "tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ\r\n"
 "vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP\r\n"
 "BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV\r\n"
 "5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY\r\n"
 "1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4\r\n"
 "NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG\r\n"
 "Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91\r\n"
 "8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe\r\n"
 "pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl\r\n"
 "MrY=\r\n"
 "-----END CERTIFICATE-----\r\n";

// Define the length of the certificate
const size_t mbedtls_root_certificate_len = sizeof(mbedtls_root_certificate);



mbedtls_x509_crt cert;
 mbedtls_x509_crt_init(&cert);

 char error_buf[100];
 ret = mbedtls_x509_crt_parse(&cert, (const unsigned char *)mbedtls_root_certificate, mbedtls_root_certificate_len+1);
 if (ret != 0) {
 mbedtls_strerror(ret, error_buf, sizeof(error_buf));
 printf("Failed to parse root certificate: %s\n", error_buf);
 char oid_buf[32];
 mbedtls_oid_get_numeric_string(oid_buf, sizeof(oid_buf), &cert.sig_oid);
 printf("Signature Algorithm: %s\n", oid_buf);
 } else {
 printf("Root certificate parsed successfully.\n");
 }​

1. Is there a specific mbed TLS configuration option I might be missing to support this certificate’s signature algorithm?
2. Does the error point to a version issue with mbed TLS? If so, would updating to a newer version solve the problem?
3. Is there a way to debug or inspect the OID of the certificate’s signature algorithm to understand why it’s not recognized?

Any guidance or suggestions would be greatly appreciated!