Troubleshoot AWS Private CA Matter-compliant certificate errors - AWS Private Certificate Authority

Troubleshoot AWS Private CA Matter-compliant certificate errors

The Matter connectivity standard specifies certificate configurations that improve the security and consistency of internet of things (IoT) devices. Java samples for creating Matter-compliant root CA, intermediate CA, and end-entity certificates can be found at Use AWS Private CA to implement Matter certificates.

To assist with troubleshooting, the Matter developers provide a certificate verification tool called chip-cert. Errors that the tool reports are listed in the following table with remediations.

Error code Meaning Remediation

0x00000305

BasicConstraints, KeyUsage, and ExtensionKeyUsage extensions must be marked critical.

 Ensure that you have selected the correct template for your use case.

0x00000050

The authority key identifier extension must be present.

 AWS Private CA does not set the authority key identifier extension on root certificates. You must generate a Base64-encoded AuthorityKeyIdentifier value using the CSR and then pass it through a CustomExtension. For more information, see Activate a Root CA for Node Operational Certificates (NOC). and Activate a Product Attestation Authority (PAA).
0x0000004E Certificate is expired. Ensure that the certificate you use is unexpired.
0x00000014 Certificate chain validation failure.

This error may be encountered if you attempt to create a Matter-compliant end-entity certificate without using the provided Java examples, which use the AWS Private CA API to pass a properly configured KeyUsage.

By default, AWS Private CA generates nine-bit KeyUsage extension values, with the ninth bit resulting in an extra byte. Matter ignores the extra byte during format conversions, causing chain-validation failures. However, a CustomExtension in the APIPassthrough template can be used to set the exact number of bytes in the KeyUsage value. For an example, see Create a Node Operational Certificate (NOC).

If you modify the sample code or use an alternative X.509 utility such as OpenSSL, you need to perform manual verification in order to avoid chain validation errors.

To verify that conversions are lossless

  1. Use openssl to verify that a certificate a node (end-entity) certificate contains a valid chain. In this exanple, rcac.pem is the root CA certificate, icac.pem is the intermediate CA certificate, and noc.pem is the node certificate.

    openssl verify -verbose -CAfile <(cat rcac.pem icac.pem) noc.pem

  2. Use chip-cert to convert the PEM-formatted node certificate to TLV (tag, length, value) format and back again.

    ./chip-cert convert-cert noc.pem noc.chip -c
./chip-cert convert-cert noc.chip noc_converted.pem -p

    The files noc.pem and noc_converted.pem should be exactly the same as confirmed by a string comparison tool.