MC60 AWS Certificate using AT+QSECWRITE

Hi,
I am using MC60 for tracking purpose. Here I use external MCU for application.

For MQTT connection establishment with AWS, I am facing the issue.
Getting response for AT+QMTOPEN = 0, < host> , < port> as
+QMTOPEN : 0, -1

This might be mismatching in certificates. My question is how to transmit certificates to module with AT+QSECWRITE.

-----BEGIN CERTIFICATE-----
<keys goes here 1000+ characters>
-----END CERTIFICATE-----

Should it be transmitted with headers and footers ("-----BEGIN CERTIFICATE-----" and “-----END CERTIFICATE-----”)

OR

only keys to be transmitted?

This is the biggest problem I am facing. The Signal value (CSQ) is 15 to 16.
Need your kind help.

regards
PK JENA

1 Like

Hello pkjena
Thanks for your query on the our Forum.
please find the attached AT logs for the MQTT and the also application note.

for writing the certificates to the module you have to use AT+QSECWRITE command
below is the description of command

Example: AT+QSECWRITE=“NVRAM:ClientKey-private.pem”,1675,100
where ClientKey-private.pem is filename and will stored in NVRAM and 1675 the file size in byte and 100 is the timeout for the input data on UART.
After AT+QSECWRITE you will get connect reply from module after that you have to send the data of file on the UART.

MC60_MQTT_SSL_AT_LOGS.pdf (60.0 KB)
Quectel_GSM_SSL_TCP_Application_Note_V3.2.pdf (473.3 KB)
Quectel_GSM_MQTT_Application_Note_V1.2.pdf (518.0 KB)

Hi Rahul,

Thanks for your quick reply.
I am using MC60, following the same way as you referred and still getting +QMTOPEN: 0,-1.
I am pasting one of the certificate below, received from AWS. It can not be send directly from the file.

I have below questions,

  1. While sending certificates to STM32 MCU , shall I include “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” with the key in transmit buffer while sending to module OR not?

  2. Shall activate AT+QIACT before AT+QMTOPEN?

  3. How to verify all 3 keys from module? I tried with AT+FLDWL but getting “Access denied”. If you can send some log for file verification, may helpful for me.

Key received from AWS as below

-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIVAO097pGOGwGlfUEMe9Rt1Usiw1n3MA0GCSqGSIb3DQEB
CwUAME0xSzBJBgNVBAsMQkFtYXpvbiBXZWIgU2VydmljZXMgTz1BbWF6b24uY29t
IEluYy4gTD1TZWF0dGxlIFNUPVdhc2hpbmd0b24gQz1VUzAeFw0yMDA1MjcwOTQ3
MzBaFw00OTEyMzEyMzU5NTlaMB4xHDAaBgNVBAMME0FXUyBJb1QgQ2VydGlmaWNh
dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIvVF4/E0DJKFAr2o1
ZTO1v8rWjOddoQtjApTmwntCBKl43sw9RAMDzXdoxHGwtaY25q3hRlNdf1toDZ/a
TT/JFThGskUPRym2l/kcYv/ep6qCSMcnLVoaSZT8PST9hT4qCHWVFReoO9W/iVO5
gHSorNnv2z8P5hzACoMkMZx7SGIWbG9TXyx/GNDm/VX6bDBoL6XYMDb2XlWKWJEM
saRY/xEU0/nqnLK8n71obdfakirNHfe+vGeT7P4AeWsYqw2MZn3z/sMZRgTk83YA
bPNc+p4SdU2Yoaag55F3pczT2XrRTFEHt4TqR2B0X04eVT+hThKM3AnXYcAG883M
TX/bAgMBAAGjYDBeMB8GA4UdIwQYMBaAFDaF1kRZhUdfLgH/mtCiRhF9YSmdMB0G
A1UdDgQWBBRbYoSexmsM4wUBqeh4VBmh4AZyrTAMBgNVHRMBAf8EAjAAMA4GA1Ud
DwEB/wQEAwIHgDANBgkqhkiG9w0BAQsFAAOCAQEAGFyDfCtyFR2g2nXwmu83d5qN
Cc6rjhywxozvV+nyVTeS0rQoqdZXne8T5U9MfMtlRmNfaJzY9O9iZIviBtJR4rqo
Wf3V5ymEgM+42GI8BNTmr9feU1doNO/XvtO1vhTv8xwzoExCam6yPlMqzrdYEBx+
JF79KNM6VMScLLzW6IgVBtCBonH7FIzcVaqPLHsMa7W9hBzIW3biIWtD3OiHxYgi
QyObdOUggMnjabuDYxvPWG1LhLtjG0q7WsXXjCgvUqSa/aRYU0RRZ57oY8SRYoDu
diR6MzQVbyUMN4Intj1FEMpEe0xORcOqzxPPD/NAEZsv8nw2ZZlYg6bIwjEGxg==
-----END CERTIFICATE-----

regards
PK Jena

Hi pkjena
please find the my below comments
1)While sending certificates to STM32 MCU , shall I include “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” with the key in transmit buffer while sending to module OR not?
Rahul- “-----BEGIN CERTIFICATE-----” and “-----END CERTIFICATE-----” is the part of certificates.
you can define in MCU as below.
#define http_cacert_len 1196
#define http_cacert “-----BEGIN CERTIFICATE-----\n
MIIDODCCAiACAQEwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCSU4xCzAJBgNV\n
BAgMAlRHMQwwCgYDVQQHDANIWUQxDTALBgNVBAoMBEVDSUwxDTALBgNVBAsMBEVD\n
SUwxGDAWBgNVBAMMD3JobXMuZWNpbC5jby5pbjAeFw0yMDA1MTUwNzI3MDdaFw0y\n
NTA0MTkwNzI3MDdaMGQxCzAJBgNVBAYTAklOMQswCQYDVQQIDAJURzEMMAoGA1UE\n
BwwDSHlkMQ0wCwYDVQQKDARFQ0lMMREwDwYDVQQLDAhUUzAwMDAwMTEYMBYGA1UE\n
AwwPcmhtcy5lY2lsLmNvLmluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\n
AQEAk1g8gT2PKmrRw3kYEmeqZB+vKlhin3oIalRUQ3Jw1oc7za0LsOKyMERC/qXp\n
Q+hqPX7C/36CO9uBOCK/6cjrVNda7DUTSjGhYvce1aAlbAd6cCXHzHDu1ejmiX8W\n
xuFRvLyNAwGELRuNRBTzsxwOquk0KGjB4vySmohCEl9EubsdlGQeLWyr2a2/pnTM\n
hHWjc8TaxBSFpCxVHD+3EoGJNEUUBZsSqE3rARHU2mC8XK+xCTok5zYUNdbHuBeo\n
YaQ/iom4JFygzgg6DEMOF+m0MPsX45fU+i7gu6SBL2nHP6vZevTnCig6MMvnP3Se\n
1s3v3AwiN8YSYxhn1nci2saF0QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBPVdx9\n
nqWPfACZLKWxkzkABX5iNvv56H1wvNVipWb8Q3w8h7tHK36Dzf4XLQ6kOnv10qcH\n
Ei38YkRujwfrsLux8DlcphfkfTNhQZd9MLncTUKOwuHnTjrwcvIlWBCVTSCxj71S\n
v2f+LJXI6NczWqKNQ6ONPy9q9yPbHscOz3tl4hOSIk9nSkTiIf6KNl7LELUMb1B4\n
pGfH8FIx7r2hA+4BHN/H6lzwYB26kl/85uPQ7mDJZ9StfXwJbB/F3tP1pGcL6ZQo\n
vlg2cscv9C6jF668Yr01ZekHPa3HUkpt5o+1x9o5QFR6V7E+Fok02cVzNzFpObUs\n
rYgRmgSkcssIyTTm\n
-----END CERTIFICATE-----\n”

  1. Shall activate AT+QIACT before AT+QMTOPEN?
    yes, you have to Activate GPRS/CSD Context using AT+QIACT before AT+QMTOPEN.

  2. How to verify all 3 keys from module? I tried with AT+FLDWL but getting “Access denied”. If you can send some log for file verification, may helpful for me
    you can use AT+QSECREAD= command .

I recommended to send the commands to module directly from the UART terminal(QCOM) with the help of USB to ttl or USB to R232 convertor. So you will get the clear Idea how module is responding and then you can implement the same commands in your MCU.
Also module can store the certificate’s in NVRAM so you not need to send certificates on every Power ON.

You can download QCOM from below link.
https://cnquectel-my.sharepoint.com/:f:/g/personal/india-fae_quectel_com/Ep41bP0lEx5BoNPeBRbziwwBsQ-v86O3Jj_R-xFfRejnYA?e=S3FraM

Thank you Rahul for your response.

Please help me to confirm module certificate name with corresponding AWS certificate name.
I am using as below

SlNo Module File AWS File
1 cacert.pem RootCA1.pem
2 client.pem cert.pem
3 user_key.pem private.key

Your reply will help me one step ahead.

regards
PK

Hi pkjena
yes following names are ok if you are storing certificates in RAM,
please refer AT+QSECWRITE command from SSL_TCP_Application note which is shared in previous reply.
SlNo Module File AWS File
1 cacert.pem RootCA1.pem
2 client.pem cert.pem
3 user_key.pem private.key

Regards
Rahul.

Hi Rahul,

Still I am getting +QMTOPEN: 0,-1. Not connecting to AWS.
I am uploading 2 files
1. QCOM_Log.pdf - This is Log from QCOM.exe
2. pkMQTT.pdf - This is the QCOM INI file

Still, I am not able to catch where I am doing the mistake.
Seems around keys.
Your your help to fix.

regards
PK JENAQCOM_Log.pdf (28.5 KB) pkMQTT.pdf (56.4 KB)

Hi pkjena
please check is your certificates are correct or not using MQTT test tools (Like MQTT.fx).
Regards
Rahul

Hi Rahul,

Many thanks for quick and active support. Now my certificates are corrected and getting response +QMTOPEN: 0,0. Thannks.

But facing another issue after it. Pasting the log below.
Received response of AT+QMTCONN=0,“M95_0206”, as OK only, and +QMTCONN: 0,0,0 not getting received. Please check the log sequence at end.

But a +QMTSTAT: 0, 1 is received instead —> Connection is closed or reset by the peer,
What could be the possible reason here. Is it AWS side issue or my application issue? Any clue for it?

AT+QSSLCFG=“cacert”,2,“RAM:cacert.pem”

OK
AT+QSSLCFG=“clientcert”,2,“RAM:client.pem”

OK
AT+QSSLCFG=“clientkey”,2,“RAM:user_key.pem”

OK
AT+QSSLCFG=“seclevel”,2,2

OK
AT+QSSLCFG=“sslversion”,2,4

OK
AT+QSSLCFG=“ciphersuite”,2,“0xFFFF”

OK
AT+QSSLCFG=“ignorertctime”,1

OK
AT+QMTOPEN=0,“a35av9i4lkw80j-ats.iot.ap-south-1.amazonaws.com”,8443

OK

+QMTOPEN: 0,0
AT+QMTCONN=0,“M95_0206”

OK

+QMTSTAT: 0,1

regards
PK JENA

Hi pkjena
I think “M95_0206” is not your client ID. Please make sure your client ID.
image
please use correct client ID.
Regards
Rahul

Hi Rahul,

Still my issue not resolved. Attaching the following files for your reference

  1. QCOM log file (QCPM_LOG.pdf)
  2. CA1 certificate (CA1.pdf)
  3. Client Certificate (client.pdf)
  4. User Key (private.pdf)
  5. Host, Port, Client ID infomation (url.pdf)

All information are working as of now, and also with same information MQTT.fx connecting to AWS. But while I am testing with QCOM, no connection establishment.
Need your expertise comment on it.

  1. Can you please confirm the sequence is proper in QCOM log?
  2. Let me know, if I can test/work in some other way?

regards
PK

CA1.pdf (31.1 KB) client.pdf (31.3 KB) private.pdf (31.8 KB) QCOM_LOG.pdf (29.7 KB) url.pdf (19.0 KB)

Hi pkjena
I think you are missing with AT+QMTCFG=“SSL”,0,1,2 this command.
you can also try with change to AT+QSSLCFG=“sslversion”,2,4

Regards
Rahul

Hi Rahul,

Thank you a lot.
I traced out my mistake and corrected.
Now my STM32 + MC60 connects to AWS. Thank you.

Will try next for Subscribe and Publish.

regards
PK
MCOM_Log.pdf (29.5 KB)

Hi Rahul,

Facing another issue while subscribing and pasting partial log from QCOM as below

AT+QMTOPEN=0,“a35av9i4lkw80j-ats.iot.ap-south-1.amazonaws.com”,“8883”
OK
+QMTOPEN: 0,0

AT+QMTCONN=0,“basicPubSub”
OK
+QMTCONN: 0,0,0

AT+QMTSUB=0,2,"$aws/things/topic_1/shadow/update/accepted",1
OK
+QMTSTAT: 0,1 -------------> Here +QMTSUB: 0,1,0,1 is expected

Please suggest.

regards
PK JENA

Hi Rahul,

My query is resolved now.
It was depending configuration at AWS side also.

Thanks for your active and fast support.

regards
PK JENA

I am also facing the same issue when I can execute command AT+QMTCONN=0,“SVNode226” and SVNode226 is my thing created in AWS IoT.

Response is always.

+QMTSTAT: 0,1

How did you solve this?