Skip to main content
P
PDutt.2
Visitor II
January 18, 2021
Solved

URGENT: X-CUBE-GCP The certificate is not correctly signed by the trusted CA issue

  • January 18, 2021
  • 1 reply
  • 835 views

Hi, Before posting this question, I did enough testing and understand the concept of certificate verification process. I am stuck with this issue since last one week and couldn't understand the associated route cause.

0693W000007BfRrQAK.jpgPlease help me resolve this issue. Requesting some ST core engineer to look into it.

    This topic has been closed for replies.
    Best answer by PDutt.2

    As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

    1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
    2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

    I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

    $ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

    I copy-pasted the certifcates one after other and it worked.

    1 reply

    P
    PDutt.2AuthorAnswer
    Visitor II
    January 21, 2021

    As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.�?

    1. For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust�? certificate). This is located at mentioned above in the documentation.
    2. For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

    I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

    $ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
 
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
 
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
 
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

    I copy-pasted the certifcates one after other and it worked.

    Terms & ConditionsAccessibility statement