BG96 connection to AWS IoT MQTT with self-generated certificates

Hello,
I am using the BG96 module to connect to AWS IoT MQTT using the MQTT AT commands. I have been able to successfully generate certificates with AWS, download them to the module and connect.

However, I want to generate our certificates off-line (instead of using AWS for that purpose) and register them parallelly on 3 different accounts (dev, preprod, prod) to enable freely switching the device between different environments. Following AWS IoT Core now supports Multi-Account Registration certificates on IoT Credential Provider endpoint I managed to connect to the AWS MQTT via custom python script. The problem occurs when I try to do the same but with use of BG96 (and using the same certificates).

The AT commands we are invoking are:

AT+QICSGP=1,1,“internet”,"",""
OK

AT+QSSLCFG=“cacert”,0,“cacert.pem”
OK

AT+QSSLCFG=“clientcert”,0,“client.pem”
OK

AT+QSSLCFG=“clientkey”,0,“user_key.pem”
OK

AT+QSSLCFG=“sslversion”,0,4
OK

AT+QSSLCFG=“seclevel”,0,2
OK

AT+QMTCFG=“ssl”,0,1,0
OK

AT+QMTCFG=“version”,0,4
OK

AT+QMTCFG=“keepalive”,0,30
OK

AT+QMTOPEN=0,“xxxxxx-ats. iot. eu-central-1. amazonaws. com”,8883
OK
+QMTOPEN: 0,0

AT+QMTCONN=0,“tenesys”
OK
+QMTSTAT: 0,1

The same set of certificates enables us to connect from a PC using a Python script, but connection on BG96 fails…
The above AT commands allow us to connect to the same AWS endpoint using AWS-generated certificates, but not using self-generated certificates.

I am attaching our complete solution including certificates generation process, creating AWS resources with AWS CLI and testing python script, available here. Some variables must be replaced according to the AWS account used.

Any ideas why the same set of credentials allow me to connect to AWS from PC, but not from BG96?
Kind regards,
Bartosz

cacert.pem is vrong

You are right, I uploaded a wrong file to the OneDrive. I have now updated the CA cert to correct AmazonRootCA1.pem. With the correct Amazon CA cert, I am still not able to connect. The test in my original post was performed using the correct Amazon Root CA1.
Sorry for the confusion.

Any ideas why it wouldn’t connect now?

This AmazonRootCA1.pem is “vrong” (in quotes) :slight_smile:
email me or ask Quectel support

Well, it turned out that changing the CA cert does not fix the problem. The same set of certificates which works in a Python script, does not work with BG96…

I have followed this tutorial, I have verified that I am registered on a network, I have verified that I do have internet connection (connected to httpbin.org), but connection attempt to AWS still returns +QMTSTAT: 0,1

Are there any limitations for certificates? Are there any requirements that a device certificate must meet to be compatible with BG96?