at^sjmsec command on ELS61-E throwing error "wrong command format" | Telit Cinterion IoT Developer Community
June 14, 2021 - 3:36pm, 4395 views
Hi,
I'm testing communication to AWS IoT by adding server certificate and client certificate and private key.
As this is is a new PCBA HW with new chip (ELS61-E), I don't have access to modem chip via any demo board, everything has to be done via a MCU in between, which in turn communicate to the modem via UART.
I have been following instruction here: https://iot-developer.thalesgroup.com/showcase/concept-board-connection-...
I managed to transfer "AddHttpsCertificateUntrusted.bin" file over to the modem using AT^SJDL, and I know the content is correct because 1) the CRC returned from SJDL is correct and 2) I have readback the file content using AT^SFSA.
Now, when I try to install server certificate using the following command:
AT^SJMSEC="file",”AddHttpsCertificateUntrusted.bin”
I always got the following response:
appl> URC: at^SJMSEC="file",AddHttpsCertificateUntrusted.bin
URC: ^SJMSEC: 1,"wrong command format"
URC: +CME ERROR: invalid index
It looks like the server certificate is invalid, however, I don't have further information to see why. The server certificate is downloaded from https://www.amazontrust.com/repository/AmazonRootCA1.pem, and I upload the bin file here: https://www.mediafire.com/file/rno1mskdgs6nvcs/AddHttpsCertificateUntrus...
Any pointer to where the error might be is appreciated. Thanks!
Information
sending to modem : ATI1received response: Cinterionreceived response: ELS61-E R2received response: REVISION 02.000received response: A-REVISION 01.000.02
Hello,
It looks like the bin file format is incorrect. Could you share how you created this file?
Regards,
Bartłomiej
Hello Bartłomiej,
That's interesting. Here are my steps:
1) Convert server certificate to binary format
I assume this file is correct because I can open it in Windows cert program. This is the output file: https://www.mediafire.com/file/vt4mktmzrh0v36w/rootCA-RSA2048.der/file
2) Generate bin file
I actually use 2 ways to generate bin file (to verify that I got the right content)
2.1) jseccmd.jar
After that, server.bin and and AddHttpsCertificateUntrusted.bin is compared and the content is exactly the same.
If possible, can you upload your bin cert and actual AddHttpsCertificateUntrusted.bin file you generated on your computer? Thanks!
Hello,
I tried the openssl conversion and got the same der file as you got. Next I converted to bin with the same command:
java -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename ./rootCA-RSA2048.der > rootCA-RSA2048.bin
and got a different file:
https://files.c-wm.net/index.php/s/KGNKmdLFHrkyntg
PW: rootCA-RSA2048.bin
It installs without errors. Please check if it works for your connection - I didn't test.
The contents of your bin file looks quite odd. Are you sure that you have converted the proper file? What environment did you use? Did you install the Thales installation CD package?
Regards,
Bartłomiej
Hello again,
Thanks a lot for looking into this. I got file jseccmd.jar from https://iot-developer.thalesgroup.com/showcase/server-certificates-manager (included in zip file). sjmsec_add_server_untrusted.exe is from the link above.
I'm sure it's the right input der file as you can see the content inside even said "rootCA-RSA2048.der", just like the one you converted.
Looking into the contents, the file I converted creates 2 bytes for every character, while yours is only 1 byte. For example, Amazon is 41 6d 61 7a6f 6e, while I generated to 00 41 00 6d 00 61 00 7a 00 6f. Maybe this is because I'm running Windows 10 64 bit?
PS. I did not have access to Thales installation CD package.
Best regards,
James
And I can confirm that the file you generated ( rootCA-RSA2048.bin ) does work on the modem. AT^SJMSEC returns OK.
Update: So the problem is that I was running Powershell in Win 10, which is a 64-bit program, that causes invalid file generated. Using cmc.exe (a 32-bit program) returns the output as yours.
Another question, I have not seen anywhere the instruction to convert AWS device's private key and certificate, it just mentioned that it should be in binary. The one I got are .pem and not binary format. Can you confirm shall I convert them or not? I tried both with and without conversion and the modem just hang when doing "AT^SJMSEC="file",”AddHttpsClientCertificateUntrusted.bin”, no more command can be sent to the modem.
That's interesting with Powershell, I've never used it for that purpose. Yes, the cert and key should be in binary format. So you need to convert these files with openssl.
As for the Java SDK you can find it here: https://iot-developer.thalesgroup.com/documentation/download-documentati...
Hi again,
I followed instruction in here https://iot-developer.thalesgroup.com/tutorial/internet-services-ssltls and can see that the client private key and certificate that were used to generate AddHttpsClientCertificateUntrusted.bin are actually not binary format. If you open the zip file (https_demo_devzone.zip in the link above), go to https_demo\Certs\certs.h, the command is:
Here are all the certs generated if you run the script itself (self-signed, no secret there) https://www.mediafire.com/file/u3r2rnxko3ej3nn/self-signed.zip/file
Can you verify the AddHttpsClientCertificateUntrusted.bin in the above zip file is usable, i.e. can be loaded to the module? Alternatively, can you upload a version of AddHttpsClientCertificateUntrusted.bin that will be accepted by ELS61-E? I have hard time to go beyond this step as the modem just hang whenever I call
PS. I have no problem when calling "AT^SJMSEC="file",”AddHttpsCertificateUntrusted.bin”, so the server certificate must be working.
Thank you.
Hello,
As stated in the Java User's Guide the files need to be in binary format. So you should convert them with openssl and then create the bin file. Please see the example:
openssl x509 -inform pem -in clientEP.crt -outform der -out clientEP.der
openssl rsa -inform pem -in clientEP.key -outform der -out clientEPkey.der
java -jar jseccmd.jar -cmd AddHttpsClientCertificateUntrusted -filename ./clientEP.der -keyfilename ./clientEPkey.der > clientEP.bin
After that it will install without any problems.
Best regards,
Bartłomiej
Hello,
Unfortunately it's still not working on my modem. Modem no longer response to any AT command after issuing AT^SJMSEC command.
Here is the link to the generated clientEP.bin file on my PC using your instructions above. Can you compare it with yours to see if they are different? I have carefully use cmd.exe this time to avoid problem with Powershell.
https://www.mediafire.com/file/anfndpexg0lhhd5/clientEP-all-bin.bin/file
Otherwise, please attach the clientEP.bin file that you generated. Maybe it's the modem that got issue and not the client certificates.
Best regards,
James
Hello,
The files are identical.
Does it happen on the installation of this file or earlier? What happens when you reboot? Are there any URCs? Isn't it possible to even send 'AT'?
Regards,
Bartłomiej
Pages