# Troubleshoot AWS Private CA Matter-compliant certificate errors
<a name="TroubleshootPcaMatter"></a>

The [Matter connectivity standard](https://github.com/project-chip/connectedhomeip) specifies certificate configurations that improve the security and consistency of internet of things (IoT) devices. Java samples for creating Matter-compliant root CA, intermediate CA, and end-entity certificates can be found at [Use AWS Private CA to implement Matter certificates](API-CBR-intro.md).

To assist with troubleshooting, the Matter developers provide a certificate verification tool called [chip-cert](https://github.com/project-chip/connectedhomeip/tree/master/src/tools/chip-cert). Errors that the tool reports are listed in the following table with remediations.


****  

| Error code | Meaning | Remediation | 
| --- | --- | --- | 
|  0x00000305   |  `BasicConstraints`, `KeyUsage`, and `ExtensionKeyUsage` extensions must be marked critical.  | Ensure that you have selected the correct template for your use case. | 
|  0x00000050  |  The authority key identifier extension must be present.  | AWS Private CA does not set the authority key identifier extension on root certificates. You must generate a Base64-encoded AuthorityKeyIdentifier value using the CSR and then pass it through a [CustomExtension](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CustomExtension.html). For more information, see [Activate a Root CA for Node Operational Certificates (NOC).](JavaApiCBC-ActivateRootCA.md) and [Activate a Product Attestation Authority (PAA)](JavaApiCBC-ProductAttestationAuthorityActivation.md). | 
| 0x0000004E | Certificate is expired. | Ensure that the certificate you use is unexpired. | 
| 0x00000014 | Certificate chain validation failure. |  This error may be encountered if you attempt to create a Matter-compliant end-entity certificate without using the provided [Java examples](API-CBR-intro.md), which use the AWS Private CA API to pass a properly configured KeyUsage.  By default, AWS Private CA generates nine-bit KeyUsage extension values, with the ninth bit resulting in an extra byte. Matter ignores the extra byte during format conversions, causing chain-validation failures. However, a [CustomExtension](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CustomExtension.html) in the `APIPassthrough` template can be used to set the exact number of bytes in the `KeyUsage` value. For an example, see [Create a Node Operational Certificate (NOC)](JavaApiCBC-NodeOperatingCertificate.md). If you modify the sample code or use an alternative X.509 utility such as OpenSSL, you need to perform manual verification in order to avoid chain validation errors. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/privateca/latest/userguide/TroubleshootPcaMatter.html)  |