Quecopen SSL example BG95 - Error "The certificate is not trusted"

I am developing Quecopen Application to run on top of ThreadX for BG95.

The SDK version i have is Quectel_BG95_QuecOpen_SDK_Package_V1.1.0_BETA20200610 with ThreadX_LLVM_TX3.0

I am able to compile the examples and flash it using the QEFS explorer. There is no problem there. I have problems with the Network security APIs. I am working with the SSL example and the Mqtt example.

With the SSL example, I try to open SSL socket to an Amazon endpoint https://docs.aws.amazon.com/ ( I use the Amazon Root CA 1 certificate. I am unable to connect to SSL. I always get “The certificate is not trusted” error. Please tell me the ideal format of the Certificates to use.

the AmazonRootCA1.pem i use is

the example_ssh.h file in my case is

the SSL config i have is

static qapi_Status_t ssl_conn_obj_config(SSL_INST *ssl)

qapi_Status_t ret_val = QAPI_OK;

/* default eight encryption suites */
ssl->config.cipher[0] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
ssl->config.cipher[1] = QAPI_NET_TLS_RSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[2] = QAPI_NET_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[3] = QAPI_NET_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA;
ssl->config.cipher[4] = QAPI_NET_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[5] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA;
ssl->config.cipher[6] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA;
ssl->config.cipher[7] = QAPI_NET_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;

ssl->config.max_Frag_Len = 4096;
ssl->config.max_Frag_Len_Neg_Disable = 0;
ssl->config.protocol = QAPI_NET_SSL_PROTOCOL_TLS_1_2;
ssl->config.verify.domain = 0;
ssl->config.verify.match_Name[0] = '\0';
ssl->config.verify.send_Alert = 0;
ssl->config.verify.time_Validity = 0;	/* Don't check certification expiration */

return ret_val;


Not sure if you resolved this but I can probably advise here. You have used Amazon Root CA1 as your rootCA file

This is actually an intermediate CA and is not the root of trust.

You need to use Starfield CA (I believe owned by Amazon) as this is the final root of trust. I discovered this a while ago and fed back to AWS