STM32L475 X-CUBE-GCP sample application not correctly signed by trusted CA

Question

I am trying to make X-CUBE-GCP sample application SDK working. I am not able to connect to GCP cloud because of repetitive error - "The certificate is not correctly signed by the trusted CA".

I tried to check the certificate validity using openssl command and getting proper response as well-

$ openssl crl2pkcs7 -nocrl -certfile globalsign.pem | openssl pkcs7 -print_certs -noout
subject=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
issuer=OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
$ openssl x509 -enddate -noout -in globalsign.pem
notAfter=Dec 15 08:00:00 2021 GMT

Further, I am very closely following full SDK documentation and sure that all steps mentioned as per release document is being followed. Please help me resolve the issue.

Answer 1

As per official documentation, sample application requires concatenation of 2 CA certificates. However, only one file location is mentioned which is “Set the TLS root CA certificates: Copy-paste the content of Middlewares\Third_Party\GCP\samples\STM32Cube\globalsign_usertrust.pem. The device uses it to authenticate the remote hosts through TLS.”

For the HTTPS server, which is used to retrieve the current time and date at boot time (the “Usertrust” certificate). This is located at mentioned above in the documentation.

For GCP, in order to authenticate the Cloud server. Depending on the server, the globalsign_usertrust.pem may need to be updated based on Google Cloud™ list of supported CAs from pki.google.com/roots.pem. For sample program, it is located at — Middlewares/Third_Party/GCP/res/trusted_RootCA_certs/roots.pem

I found checking the information and expiration date of these certificates is helpful. It is important to know details of certificates in case globalsign_usertrust need to be changed -

$ openssl crl2pkcs7 -nocrl -certfile roots.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Google Trust Services LLC, CN = GTS LTSR
issuer=C = US, O = Google Trust Services LLC, CN = GTS LTSR
subject=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign
issuer=OU = GlobalSign ECC Root CA — R4, O = GlobalSign, CN = GlobalSign

I copy-pasted the certifcates one after other and it worked.