Any idea how hex values for Certs in MKRNB libs are generated?

151 views
Skip to first unread message

John Davis

unread,
Sep 6, 2021, 11:12:44 AM9/6/21
to Developers
Hello

I am trying to figure out how to fix the GCP IoT core connection problem with a MKR NB 1500.   I was able to get the MKR1000 to connect to GCP IoT core using the arduino example and the GCP example.  One uses the crypto chip and one does all the code in software.

The MKR NB 1500 and MKR1000 both have the same crypto chip but the NB stores certs as hard coded arrays where as the 1000 uses the WINC1500.

This is the source file for the arduino-libraries/MKRNB which contains the certs:

I'm wondering how these arrays were generated.  Anyone know the process/method?

I'm looking at the various datasheets for the module and it is somewhat conflicting.

This manual is the SARA-R4 Series AT Commands Manual

section 20.3.2 SSL/TLS Certificates and privacy manager +USECMNG

Discusses the command the arduino library uses to load the cert arrays in the above header file.  The NBSSLClient.cpp file has the following line:

MODEM.sendf("AT+USECMNG=0,0,\"%s\",%d", _RCs[_certIndex].name, _RCs[_certIndex].size);

So, we know its using the 0,0 parameters for the +USECMNG command.  Some notes on this command:

Manages X.509 certificates and says "certificates and private keys both in DER
(Distinguished Encoding Rules) and in PEM (Privacy-Enhanced Mail) format are accepted. If the provided format is PEM, the imported certificate or private key will be automatically converted in DER format for the internal storage. It is also possible to validate certificates and private keys. Up to 16 certificates or private keys can be imported."

So supposedly it takes DER and PEM certs.  FWIW, a PEM is a Base64 encoded cert and a DER is a binary cert.  When you use the openssl command with s_client and -showcerts it prints a PEM format cert.  You can recognize the BEGIN CERTIFICATE keyword in plain ascii text and in the signature you see alphanumeric text with trailing == padding from the Base64 coding.

According to this section in manual, the certs are converted to DER if its a PEM. Although the Cert can not be retrieved, the MD5 hash string can be retrieved.  When you successfully load a cert, the modem will return the same MD5 hash string.

The manual says the cert must be X.509 and it must have only certain fields provided.  See last bullet in section 20.3.2.1.  (More about this field restriction later.)

Oddly, section 20.3.2.2 shows a raw ascii string for the data as >----BEGIN CERTIFICATE ---  This leads me to believe its literally expecting an asscii text string. 

'>' is hex 0x3E
'-' is hex 0x2D


$ echo ">-" | od -t x1 -An
 3e 2d 0a

Looking at the header file, all the certs start out with the same hex sequence: "0x30, 0x82, 0x03, 0xef"

Looking at this site, https://filext.com/file-extension/DER  it shows the X509 certificate DER file fingerprint has leading 0x30 0x82.

So I'm concluding these files are DER files.

So, how to get a root cert from google and add to this array in NBRootsCert.h?

This is the process I did and sadly it failed:
(When I got the MKR1000 working, I did not use the google.com:443 nor did I use the 
https://cloud.google.com/iot/docs/how-tos/mqtt-bridge "complete Google root CA cert package (128KB) for mqtt.googleapis.com"  instead I pointed the winc1500 to mqtt.googleapis.com:8883.  However I tried to build a combined cert pulled from that server yadda yadda and it failed to load.  As a simple test, I'll try to just load one of the server certs in the 128KB pem file.)

1. Edit https://pki.goog/roots.pem and find the uber GlobalSign root cert.  The issuer and owner are both GlobalSign.  Copy the relevant portion of the cert to a file.

$ cat GS_ROOT_CA.crt
# Operating CA: GlobalSign
# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA
# Label: "GlobalSign Root CA"
# Serial: 4835703278459707669005204
# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a
# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c
# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

2.  Convert to DER

You can find this command via google, but its interesting to see the precise command in the u-blox documentation.  This is yet another u-blox document, the "SARA-R4 series Application development guide"


Section 16.1 Certificate format
"SARA-R4 series modules do not support PEM format.  (Notice this does not agree with the other document!!!!)  Only DER and CER formats are supported.  For an example of using OpenSSL application to convert PEM to DER:

openssl x509 -in cert.crt -outform der -out cert.der"

 so, to convert the PEM file above, 

davis@twenty:~/progs/ssl_publy/certs 
$ cat convert_pem_to_der.sh 

INFILE=$1
OUTFILE="${INFILE%.*}.der"

openssl x509 -in ${INFILE} -outform der -out ${OUTFILE}

davis@twenty:~/progs/ssl_publy/certs 
$ ./convert_pem_to_der.sh GS_ROOT_CA.crt 
davis@twenty:~/progs/ssl_publy/certs 
$ file GS_ROOT_CA.der 
GS_ROOT_CA.der: data
davis@twenty:~/progs/ssl_publy/certs 
$ od -t x1 -An --read-bytes=4 GS_ROOT_CA.der 
 30 82 03 75

The file command did not recognize it as a DER file, but the 0x30 0x82 is present.

3.  Convert the file to a byte sequence

davis@twenty:~/progs/ssl_publy/certs 
$ cat make_hex.sh 


echo "file specfied is: $1"

od -t x1 -An  $1 | awk '

{

    for (i = 1; i <= 16; i++)
        printf "0x%s,", $i
    print ""
}
'

davis@twenty:~/progs/ssl_publy/certs 
$ ./make_hex.sh GS_ROOT_CA.der > foo.txt
davis@twenty:~/progs/ssl_publy/certs 
davis@twenty:~/progs/ssl_publy/certs 
$ head -n2 foo.txt 
file specfied is: GS_ROOT_CA.der
0x30,0x82,0x03,0x75,0x30,0x82,0x02,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x0b,0x04,
davis@twenty:~/progs/ssl_publy/certs 

4. Modify NBRootsCert.h and sketch to print debug info.

So, add the contents of foo.txt so its in the NBRootsCert.h.  Since there is a limit of 16 certs, I removed the AWS and Big Daddy certs and added this new one as JFD.

I also modified the top level sketch so that it emits AT commands.

sketch mod:
// orig NB nbAccess;
NB nbAccess(true);

NBRootsCert.h
  {
    "JFD",
    (const uint8_t[]){        0x30,0x82,0x03,0x75,0x30,0x82,0x02,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x0b,0x04,
<stuff snipped>
       0x55,0xe2,0xfc,0x48,0xc9,0x29,0x26,0x69,0xe0
    },
    889
  },

As far as length goes, this matches the others in the array.  Its the number of bytes.

4.  Test the code

<stuff snipped>
AT+USECMNG=0,0,"GeoTrust_Primary_Certification_Authority_G3",1026
>
+USECMNG: 0,0,"GeoTrust_Primary_Certification_Authority_G3","B5E83436C910445848706D2E83D4B805"

OK
AT+USECMNG=0,0,"JFD",889
ERROR


This shows the cert above where I placed mine loading (I skipped showing all the certs loaded.  Nine in total are loaded.  I am attempting to load a new tenth.


So what now brown cow?

John




Rob Tillaart

unread,
Sep 6, 2021, 11:56:49 AM9/6/21
to Arduino Developers

> This is the source file for the arduino-libraries/MKRNB which contains the certs:
> I'm wondering how these arrays were generated.  Anyone know the process/method?

Copy this part into a text file say x.x


MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==


then 

base64 -d  x.x  |  od - x        // base64 decode and make a hex dump

0000000 8230 7503 8230 5d02 03a0 0102 0202 040b
0000020 0000 0000 1501 5a4b 94c3 0d30 0906 862a
0000040 8648 0df7 0101 0505 3000 3157 300b 0609

and you get a hex dump that looks already a bit like the certs in the   NBRootCerts.h  file
Recognize the 8230 --> 0x030, 0x82

my 2 cents,



Virus-free. www.avg.com

--
You received this message because you are subscribed to the Google Groups "Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to developers+...@arduino.cc.
To view this discussion on the web visit https://groups.google.com/a/arduino.cc/d/msgid/developers/6584d261-24fa-41ed-9274-7e55c05736efn%40arduino.cc.

John Davis

unread,
Sep 6, 2021, 12:24:35 PM9/6/21
to Developers
Hello Rob,

Thanks for reaching out.  Comments inline.

It looks like you are doing base64 decode of the cert and converting it to DER file format.  Since a PEM is just a DER in base64 format, this makes sense.  I used od and awk to get the C hex byte syntax.  With that said, if use --endian=big|little switch you can swizzle to correct format or use -t x1 as I did.  With that said, you can see the format is similar. I posted the first line of the bytes in step 3 and 4.  Here they are again for reference:

0x30,0x82,0x03,0x75,0x30,0x82,0x02,0x5d,0xa0,0x03,0x02,0x01,0x02,0x02,0x0b,0x04,

Swizzling in my mind and removing the offset column it looks identical.  It should be so that is good.

Regarding the contents of the DER file and the field limitation I mentioned but did not elaborate on:

$ cat dump_der.sh
# dump DER file in order to find out what fields are in the file.
# This u-blox manual shows which fields are supported.
#
# https://www.u-blox.com/en/docs/UBX-17003787
#
# excerpt section 20.3.2 SSL/TLS Certificates and private keys manager +USECMNG
#
# The USECMNG import functionality allows the following DN value fields:
#
# o  commonName (http://oid-info.com/get/2.5.4.3)
# o  serialNumber (http://oid-info.com/get/2.5.4.5)
# o  countryName (http://oid-info.com/get/2.5.4.6)
# o  localityName (http://oid-info.com/get/2.5.4.7)
# o  stateOrProvinceName (http://oid-info.com/get/2.5.4.8)
# o  organizationName (http://oid-info.com/get/2.5.4.10)
# o  organizationalUnitName (http://oid-info.com/get/2.5.4.11)
# o  userID (http://oid-info.com/get/0.9.2342.19200300.100.1.1)
# o  domainComponent (http://oid-info.com/get/0.9.2342.19200300.100.1.25)
# o  pkcs9_emailAddress (http://oid-info.com/get/1.2.840.113549.1.9.1)
# o  pkcs9_unstructuredName (http://oid-info.com/get/1.2.840.113549.1.9.2)
#
# The import of an X.509 certificate with DN containing other value fields
# (not in the above list) will result in an import error
# (error result code: USECMNG invalid certificate/key format).

# $1 is a DER file
openssl asn1parse -in $1 -inform DER

and the result of 

$ ./dump_der.sh GS_ROOT_CA.der | grep OBJECT
   28:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   47:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   60:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   87:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  105:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  168:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  181:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  208:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  226:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  257:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  551:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Key Usage
  567:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  584:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  615:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption


I notice that some of the fields are present in that list and some are not.  ie. countryName is ok.  rsaEncryption perhaps not.  I know this particular field says it used RSA for the fingerprint or something like that.  I'm still fuzzy on this.  This might not be a problem but perhaps its.  Don't know.

 

John Davis

unread,
Sep 6, 2021, 3:09:58 PM9/6/21
to Developers
Hmm.   This is interesting.  Even though that NBCerts.h file has 10 entries, there are 16 already loaded.

Using the serial pass through example:

parameter 3 lists certs
parameter 2 removes certs
parameter 4 dumps specific certs

13:25:46.886 -> AT+USECMNG=3
13:25:46.886 ->
"CA","AddTrust_External_CA_Root","AddTrust External CA Root","2020/05/30 10:48:38"
13:25:46.886 -> "CA","Baltimore_CyberTrust_Root","Baltimore CyberTrust Root","2025/05/12 23:59:00"
13:25:46.920 -> "CA","COMODO_RSA_Certification_Authority","COMODO RSA Certification Authority","2038/01/18 23:59:59"
13:25:46.920 -> "CA","DST_Root_CA_X3","DST Root CA X3","2021/09/30 14:01:15"
13:25:46.920 -> "CA","DigiCert_High_Assurance_EV_Root_CA","DigiCert High Assurance EV Root CA","2031/11/10 00:00:00"
13:25:46.920 -> "CA","Entrust_Root_Certification_Authority","Entrust Root Certification Authority","2026/11/27 20:53:42"
13:25:46.953 -> "CA","Equifax_Secure_Certificate_Authority","","2018/08/22 16:41:51"
13:25:46.953 -> "CA","GeoTrust_Global_CA","GeoTrust Global CA","2022/05/21 04:00:00"
13:25:46.953 -> "CA","GeoTrust_Primary_Certification_Authority_G3","GeoTrust Primary Certification Authority - G3","2037/12/01 23:59:59"
13:25:46.953 -> "CA","GlobalSign_Root_CA","GlobalSign Root CA","2028/01/28 12:00:00"
13:25:46.953 -> "CA","GTS_Root_R1","GTS Root R1","2036/06/22 00:00:00"
13:25:46.986 -> "CA","Go_Daddy_Root_Certificate_Authority_G2","Go Daddy Root Certificate Authority - G2","2037/12/31 23:59:59"
13:25:46.986 -> "CA","VeriSign_Class_3_Public_Primary_Certification_Authority_G5","VeriSign Class 3 Public Primary Certification Authority - G5","2036/07/16 23:59:59"
13:25:46.986 -> "CA","Starfield_Services_Root_Certificate_Authority_G2","Starfield Services Root Certificate Authority - G2","2037/12/31 23:59:59"
13:25:47.019 -> "CA","Baltimore CyberTrust Root","Baltimore CyberTrust Root","2025/05/12 23:59:00"
13:25:47.019 -> "CA","DigiCert High Assurance EV Root CA","DigiCert High Assurance EV Root CA","2031/11/10 00:00:00"
13:25:47.019 ->
13:25:47.019 -> OK
13:26:43.902 -> AT+USECMNG=2,0,"Baltimore_CyberTrust_Root"

13:26:43.935 -> OK
13:27:13.552 -> AT+USECMNG=2,0,"Baltimore CyberTrust Root"

13:27:13.552 -> OK
13:27:57.069 -> AT+USECMNG=2,0,"Go_Daddy_Root_Certificate_Authority_G2"

13:27:57.069 -> OK
13:28:08.414 -> AT+USECMNG=3,0
13:28:08.414 ->
"CA","AddTrust_External_CA_Root","AddTrust External CA Root","2020/05/30 10:48:38"
13:28:08.414 -> "CA","COMODO_RSA_Certification_Authority","COMODO RSA Certification Authority","2038/01/18 23:59:59"
13:28:08.414 -> "CA","DST_Root_CA_X3","DST Root CA X3","2021/09/30 14:01:15"
13:28:08.414 -> "CA","DigiCert_High_Assurance_EV_Root_CA","DigiCert High Assurance EV Root CA","2031/11/10 00:00:00"
13:28:08.447 -> "CA","Entrust_Root_Certification_Authority","Entrust Root Certification Authority","2026/11/27 20:53:42"
13:28:08.447 -> "CA","Equifax_Secure_Certificate_Authority","","2018/08/22 16:41:51"
13:28:08.447 -> "CA","GeoTrust_Global_CA","GeoTrust Global CA","2022/05/21 04:00:00"
13:28:08.447 -> "CA","GeoTrust_Primary_Certification_Authority_G3","GeoTrust Primary Certification Authority - G3","2037/12/01 23:59:59"
13:28:08.480 -> "CA","GlobalSign_Root_CA","GlobalSign Root CA","2028/01/28 12:00:00"
13:28:08.480 -> "CA","GTS_Root_R1","GTS Root R1","2036/06/22 00:00:00"
13:28:08.480 -> "CA","VeriSign_Class_3_Public_Primary_Certification_Authority_G5","VeriSign Class 3 Public Primary Certification Authority - G5","2036/07/16 23:59:59"
13:28:08.480 -> "CA","Starfield_Services_Root_Certificate_Authority_G2","Starfield Services Root Certificate Authority - G2","2037/12/31 23:59:59"
13:28:08.514 -> "CA","DigiCert High Assurance EV Root CA","DigiCert High Assurance EV Root CA","2031/11/10 00:00:00"
13:28:08.514 ->
13:28:08.514 -> OK


So lets see what happens now with the real code.

Wow, it can now load the cert.  This is good news.  It means the method for loading certs is known.  As expected though the mqtt operation fails though, because this is just the global sign cert in google roots.pem.  Its not the root cert used by mqtt.googleapis.com.  That one is the R2 at the top of the chain of trust.  Let me modify the code to use that one now that I know how to load the certs.

hmm. And it loaded the cert but it failed on mqtt.

Ok. So I also made a combined cert for mqtt.googleapis.com.  This is the cert for the server and its intermediatry server.  The intermediate server is issued by the GlobalSign Root CA - R2.

Nope a combined one fails to load.

Before I delete all the certs in the ublox manually, I'll try to specify name of cert as "GlobalSign Root CA - R2" rather than "JFD".  I figured they would iterate though list and attempt to verify and not pick a particular entry based upon name.  Perhaps they do.  Don't know.

That did not work.  However, the MD5 fingerprint does match the one in the original crt/pem.

From output:
AT+USECMNG=0,0,"GlobalSign Root CA - R2",1374
>
+USECMNG: 0,0,"GlobalSign Root CA - R2","44ED9A0EA4093B00F2AE4CA3C661B08B"

From the pem/crt file I made by cutting from roots.pem via google.

# Operating CA: Google Trust Services LLC
# Issuer: C=US, O=Google Trust Services LLC, CN=GTS Root R2
# Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R2
# Label: "GTS Root R2"                                                                                       <----- perhaps this is the name I should use
# Serial: 6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f
# MD5 Fingerprint: 44:ED:9A:0E:A4:09:3B:00:F2:AE:4C:A3:C6:61:B0:8B         <------------------------ this one
# SHA1 Fingerprint: D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D
# SHA256 Fingerprint: C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60
-----BEGIN CERTIFICATE-----
MIIFWjCCA0KgAwIBAgIQbkepxlqz5yDFMJo/aFLybzANBgkqhkiG9w0BAQwFADBH
<stuff snipped>

Also, if it does lookup by name, perhaps its the label noted above.

Changing the name in the table did not connect to the mqtt.googleapis.com server.  But while looking at the list of certs, I noticed there are two names reported.  One the "alias name" given by the command.  The other proper name with spaces shown in list of certs is indeed the Label name above.  ie. 

"CA","GlobalSign Root CA - R2","GTS Root R2","2036/06/22 00:00:00"

The "GlobalSign Root CA - R2" is the name in the header file.  The "GTS Root R2" corresponds to the label decoded from the CRT/PEM/DER file.  Perhaps the code uses this name to verify the chain of trust or it uses the actual fingerprint.  Don't know.

Anyway, I removed all the existing entries in the ublox.  This shows none are loaded now.

-> AT+USECMNG=3,0
->

Ok. So I skipped ahead.  I emptied all the entries in the ublox above and then entered just the root ca.  It still failed.  Once I added the intermediate cert I could connect to iot core.

So for completeness sake here is the contents of the NBRootCerts.h file.  (Also FWIW, I did not lock the crypto chip as mentioned in the guide.)

--------------
/*
  This file is part of the MKRNB library.
  Copyright (C) 2018 Arduino SA (http://www.arduino.cc/)

  This library is free software; you can redistribute it and/or
  modify it under the terms of the GNU Lesser General Public
  License as published by the Free Software Foundation; either
  version 2.1 of the License, or (at your option) any later version.

  This library is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public
  License along with this library; if not, write to the Free Software
  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
*/

#ifndef _NBROOT_CERTS_H_INCLUDED
#define _NBROOT_CERTS_H_INCLUDED

#include <stddef.h>
#include <stdint.h>

struct NBRootCert {
  const char* name;
  const uint8_t* data;
  const int size;
};

static const NBRootCert NB_ROOT_CERTS[] = {
  {
    "GTS_Root_R2", // This name is an alias.  The label name from the DER file is included in output
    (const uint8_t[]){
        0x30,0x82,0x05,0x5a,0x30,0x82,0x03,0x42,0xa0,0x03,0x02,0x01,0x02,0x02,0x10,0x6e,
        0x47,0xa9,0xc6,0x5a,0xb3,0xe7,0x20,0xc5,0x30,0x9a,0x3f,0x68,0x52,0xf2,0x6f,0x30,
        0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0c,0x05,0x00,0x30,0x47,
        0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x22,0x30,
        0x20,0x06,0x03,0x55,0x04,0x0a,0x13,0x19,0x47,0x6f,0x6f,0x67,0x6c,0x65,0x20,0x54,
        0x72,0x75,0x73,0x74,0x20,0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x20,0x4c,0x4c,
        0x43,0x31,0x14,0x30,0x12,0x06,0x03,0x55,0x04,0x03,0x13,0x0b,0x47,0x54,0x53,0x20,
        0x52,0x6f,0x6f,0x74,0x20,0x52,0x32,0x30,0x1e,0x17,0x0d,0x31,0x36,0x30,0x36,0x32,
        0x32,0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x17,0x0d,0x33,0x36,0x30,0x36,0x32,0x32,
        0x30,0x30,0x30,0x30,0x30,0x30,0x5a,0x30,0x47,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
        0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x22,0x30,0x20,0x06,0x03,0x55,0x04,0x0a,0x13,
        0x19,0x47,0x6f,0x6f,0x67,0x6c,0x65,0x20,0x54,0x72,0x75,0x73,0x74,0x20,0x53,0x65,
        0x72,0x76,0x69,0x63,0x65,0x73,0x20,0x4c,0x4c,0x43,0x31,0x14,0x30,0x12,0x06,0x03,
        0x55,0x04,0x03,0x13,0x0b,0x47,0x54,0x53,0x20,0x52,0x6f,0x6f,0x74,0x20,0x52,0x32,
        0x30,0x82,0x02,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,
        0x01,0x05,0x00,0x03,0x82,0x02,0x0f,0x00,0x30,0x82,0x02,0x0a,0x02,0x82,0x02,0x01,
        0x00,0xce,0xde,0xfd,0xa6,0xfb,0xec,0xec,0x14,0x34,0x3c,0x07,0x06,0x5a,0x6c,0x59,
        0xf7,0x19,0x35,0xdd,0xf7,0xc1,0x9d,0x55,0xaa,0xd3,0xcd,0x3b,0xa4,0x93,0x72,0xef,
        0x0a,0xfa,0x6d,0x9d,0xf6,0xf0,0x85,0x80,0x5b,0xa1,0x48,0x52,0x9f,0x39,0xc5,0xb7,
        0xee,0x28,0xac,0xef,0xcb,0x76,0x68,0x14,0xb9,0xdf,0xad,0x01,0x6c,0x99,0x1f,0xc4,
        0x22,0x1d,0x9f,0xfe,0x72,0x77,0xe0,0x2c,0x5b,0xaf,0xe4,0x04,0xbf,0x4f,0x72,0xa0,
        0x1a,0x34,0x98,0xe8,0x39,0x68,0xec,0x95,0x25,0x7b,0x76,0xa1,0xe6,0x69,0xb9,0x85,
        0x19,0xbd,0x89,0x8c,0xfe,0xad,0xed,0x36,0xea,0x73,0xbc,0xff,0x83,0xe2,0xcb,0x7d,
        0xc1,0xd2,0xce,0x4a,0xb3,0x8d,0x05,0x9e,0x8b,0x49,0x93,0xdf,0xc1,0x5b,0xd0,0x6e,
        0x5e,0xf0,0x2e,0x30,0x2e,0x82,0xfc,0xfa,0xbc,0xb4,0x17,0x0a,0x48,0xe5,0x88,0x9b,
        0xc5,0x9b,0x6b,0xde,0xb0,0xca,0xb4,0x03,0xf0,0xda,0xf4,0x90,0xb8,0x65,0x64,0xf7,
        0x5c,0x4c,0xad,0xe8,0x7e,0x66,0x5e,0x99,0xd7,0xb8,0xc2,0x3e,0xc8,0xd0,0x13,0x9d,
        0xad,0xee,0xe4,0x45,0x7b,0x89,0x55,0xf7,0x8a,0x1f,0x62,0x52,0x84,0x12,0xb3,0xc2,
        0x40,0x97,0xe3,0x8a,0x1f,0x47,0x91,0xa6,0x74,0x5a,0xd2,0xf8,0xb1,0x63,0x28,0x10,
        0xb8,0xb3,0x09,0xb8,0x56,0x77,0x40,0xa2,0x26,0x98,0x79,0xc6,0xfe,0xdf,0x25,0xee,
        0x3e,0xe5,0xa0,0x7f,0xd4,0x61,0x0f,0x51,0x4b,0x3c,0x3f,0x8c,0xda,0xe1,0x70,0x74,
        0xd8,0xc2,0x68,0xa1,0xf9,0xc1,0x0c,0xe9,0xa1,0xe2,0x7f,0xbb,0x55,0x3c,0x76,0x06,
        0xee,0x6a,0x4e,0xcc,0x92,0x88,0x30,0x4d,0x9a,0xbd,0x4f,0x0b,0x48,0x9a,0x84,0xb5,
        0x98,0xa3,0xd5,0xfb,0x73,0xc1,0x57,0x61,0xdd,0x28,0x56,0x75,0x13,0xae,0x87,0x8e,
        0xe7,0x0c,0x51,0x09,0x10,0x75,0x88,0x4c,0xbc,0x8d,0xf9,0x7b,0x3c,0xd4,0x22,0x48,
        0x1f,0x2a,0xdc,0xeb,0x6b,0xbb,0x44,0xb1,0xcb,0x33,0x71,0x32,0x46,0xaf,0xad,0x4a,
        0xf1,0x8c,0xe8,0x74,0x3a,0xac,0xe7,0x1a,0x22,0x73,0x80,0xd2,0x30,0xf7,0x25,0x42,
        0xc7,0x22,0x3b,0x3b,0x12,0xad,0x96,0x2e,0xc6,0xc3,0x76,0x07,0xaa,0x20,0xb7,0x35,
        0x49,0x57,0xe9,0x92,0x49,0xe8,0x76,0x16,0x72,0x31,0x67,0x2b,0x96,0x7e,0x8a,0xa3,
        0xc7,0x94,0x56,0x22,0xbf,0x6a,0x4b,0x7e,0x01,0x21,0xb2,0x23,0x32,0xdf,0xe4,0x9a,
        0x44,0x6d,0x59,0x5b,0x5d,0xf5,0x00,0xa0,0x1c,0x9b,0xc6,0x78,0x97,0x8d,0x90,0xff,
        0x9b,0xc8,0xaa,0xb4,0xaf,0x11,0x51,0x39,0x5e,0xd9,0xfb,0x67,0xad,0xd5,0x5b,0x11,
        0x9d,0x32,0x9a,0x1b,0xbd,0xd5,0xba,0x5b,0xa5,0xc9,0xcb,0x25,0x69,0x53,0x55,0x27,
        0x5c,0xe0,0xca,0x36,0xcb,0x88,0x61,0xfb,0x1e,0xb7,0xd0,0xcb,0xee,0x16,0xfb,0xd3,
        0xa6,0x4c,0xde,0x92,0xa5,0xd4,0xe2,0xdf,0xf5,0x06,0x54,0xde,0x2e,0x9d,0x4b,0xb4,
        0x93,0x30,0xaa,0x81,0xce,0xdd,0x1a,0xdc,0x51,0x73,0x0d,0x4f,0x70,0xe9,0xe5,0xb6,
        0x16,0x21,0x19,0x79,0xb2,0xe6,0x89,0x0b,0x75,0x64,0xca,0xd5,0xab,0xbc,0x09,0xc1,
        0x18,0xa1,0xff,0xd4,0x54,0xa1,0x85,0x3c,0xfd,0x14,0x24,0x03,0xb2,0x87,0xd3,0xa4,
        0xb7,0x02,0x03,0x01,0x00,0x01,0xa3,0x42,0x30,0x40,0x30,0x0e,0x06,0x03,0x55,0x1d,
        0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x06,0x30,0x0f,0x06,0x03,0x55,0x1d,
        0x13,0x01,0x01,0xff,0x04,0x05,0x30,0x03,0x01,0x01,0xff,0x30,0x1d,0x06,0x03,0x55,
        0x1d,0x0e,0x04,0x16,0x04,0x14,0xbb,0xff,0xca,0x8e,0x23,0x9f,0x4f,0x99,0xca,0xdb,
        0xe2,0x68,0xa6,0xa5,0x15,0x27,0x17,0x1e,0xd9,0x0e,0x30,0x0d,0x06,0x09,0x2a,0x86,
        0x48,0x86,0xf7,0x0d,0x01,0x01,0x0c,0x05,0x00,0x03,0x82,0x02,0x01,0x00,0xb6,0x69,
        0xf0,0xa6,0x77,0xfe,0x9e,0xee,0x0b,0x81,0xad,0xe1,0xc0,0xa9,0xc7,0xf9,0x35,0x1d,
        0x40,0x82,0xab,0xe6,0x04,0xb4,0xdf,0xcb,0xf7,0x1d,0x0f,0x83,0xf0,0x7e,0x13,0x4d,
        0x8d,0x8c,0xee,0xe3,0x33,0x22,0xc3,0x39,0xfc,0x40,0xdf,0x6e,0x41,0x4b,0x42,0x53,
        0xbe,0x16,0x88,0xf1,0xd2,0x38,0x5e,0xc4,0x68,0x99,0x1c,0x98,0x52,0x93,0x8c,0xe7,
        0x68,0xed,0x1b,0x6a,0x73,0x7a,0x05,0x40,0x4d,0x7f,0x65,0x3b,0xd6,0x58,0xf1,0xce,
        0x83,0x47,0x60,0xe3,0xff,0x97,0xa9,0x9c,0x60,0x77,0x18,0x55,0xb5,0x7e,0x08,0x93,
        0xcf,0xd0,0xf6,0x3c,0x67,0x03,0x15,0x61,0x09,0xf9,0x81,0x79,0xf5,0xec,0x53,0xa4,
        0x9f,0xc9,0x8f,0x01,0x8b,0x73,0xc4,0x77,0x76,0xdc,0x83,0xa2,0xf5,0x0c,0x49,0x1a,
        0xa8,0x76,0xde,0x92,0x9b,0x64,0xf8,0xb3,0x2c,0xc5,0x27,0xd3,0x07,0xc0,0x08,0x80,
        0xa4,0x98,0x92,0xe3,0x01,0x96,0x02,0xaa,0x02,0xee,0x8f,0x3b,0xc5,0xd1,0x6d,0x0a,
        0x33,0x30,0x73,0x78,0xb9,0x4f,0x54,0x16,0xbf,0x0b,0x07,0xa1,0xa4,0x5c,0xe6,0xcb,
        0xc9,0x5c,0x84,0x8f,0x0f,0xe0,0x15,0x77,0x2c,0x7e,0x26,0x7e,0xda,0xc4,0x4b,0xdb,
        0xa7,0x16,0x77,0x07,0xb0,0xcd,0x75,0xe8,0x72,0x42,0xd6,0x95,0x84,0x9d,0x86,0x83,
        0xf2,0xe4,0x90,0xcd,0x09,0x47,0xd4,0x8b,0x03,0x70,0xda,0x5a,0xc6,0x03,0x42,0xf4,
        0xed,0x37,0xa2,0xf0,0x1b,0x50,0x54,0x4b,0x0e,0xd8,0x84,0xde,0x19,0x28,0x99,0x81,
        0x47,0xae,0x09,0x1b,0x3f,0x48,0xd1,0xc3,0x6f,0xe2,0xb0,0x60,0x17,0xf5,0xee,0x23,
        0x02,0xa5,0xda,0x00,0x5b,0x6d,0x90,0xab,0xee,0xa2,0xe9,0x1b,0x3b,0xe9,0xc7,0x44,
        0x27,0x45,0x8e,0x6b,0x9f,0xf5,0xa4,0x84,0xbc,0x77,0xf9,0x6b,0x97,0xac,0x3e,0x51,
        0x45,0xa2,0x11,0xa6,0xcc,0x85,0xee,0x0a,0x68,0xf2,0x3e,0x50,0x38,0x7a,0x24,0x62,
        0x1e,0x17,0x20,0x37,0x6d,0x6a,0x4d,0xb7,0x09,0x9b,0xc9,0xfc,0xa4,0x58,0xf5,0xb6,
        0xfb,0x9c,0x4e,0x18,0xbb,0x95,0x02,0xe7,0xa1,0xad,0x9b,0x07,0xee,0x36,0x6b,0x24,
        0xd2,0x39,0x86,0xc1,0x93,0x83,0x50,0xd2,0x81,0x46,0xa8,0x5f,0x62,0x57,0x2c,0xbb,
        0x6c,0x64,0x88,0x08,0x6e,0xef,0x13,0x54,0x5f,0xdd,0x2d,0xc4,0x67,0x63,0xd3,0xcf,
        0x89,0x37,0xbf,0x9d,0x20,0xf4,0xfb,0x7a,0x83,0x9b,0xa0,0x1e,0x81,0x00,0x50,0xc2,
        0xe4,0x0c,0x22,0x59,0x52,0x10,0xed,0x43,0x56,0x87,0x00,0xf8,0x14,0x52,0xa7,0x1d,
        0x8b,0x93,0x8c,0xa2,0x4d,0x46,0x7f,0x27,0xc6,0x71,0x9b,0x24,0xde,0xe4,0xda,0x86,
        0x8b,0x0d,0x7e,0x6b,0x20,0xc1,0xc0,0x9e,0xe1,0x65,0xd8,0x6a,0xa3,0xa6,0xe8,0x85,
        0x8b,0x3a,0x07,0x08,0x1c,0xba,0xf5,0x8f,0x55,0x9a,0x18,0x75,0x7e,0xe5,0xec,0x81,
        0x66,0xd1,0x21,0x73,0xa1,0x35,0x44,0x0b,0x80,0x3d,0x5b,0x9c,0x5e,0x6f,0x2a,0x17,
        0x96,0xd1,0x83,0x23,0x88,0x66,0x6d,0xe6,0x86,0xe2,0x70,0x32,0x2f,0x52,0x22,0xe7,
        0xc8,0xe7,0x7f,0xc4,0x2c,0x60,0x5d,0x2f,0xc3,0xaf,0x9e,0x45,0x05,0xc3,0x84,0x02,
        0xb7,0xfd,0x2c,0x08,0x52,0x4f,0x82,0xdd,0xa3,0xf0,0xd4,0x86,0x09,0x02
    },
    1374
  },
  {
    "GTS_CA_101",
    (const uint8_t[]){
        0x30,0x82,0x04,0x4a,0x30,0x82,0x03,0x32,0xa0,0x03,0x02,0x01,0x02,0x02,0x0d,0x01,
        0xe3,0xb4,0x9a,0xa1,0x8d,0x8a,0xa9,0x81,0x25,0x69,0x50,0xb8,0x30,0x0d,0x06,0x09,
        0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,0x4c,0x31,0x20,0x30,
        0x1e,0x06,0x03,0x55,0x04,0x0b,0x13,0x17,0x47,0x6c,0x6f,0x62,0x61,0x6c,0x53,0x69,
        0x67,0x6e,0x20,0x52,0x6f,0x6f,0x74,0x20,0x43,0x41,0x20,0x2d,0x20,0x52,0x32,0x31,
        0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x47,0x6c,0x6f,0x62,0x61,0x6c,
        0x53,0x69,0x67,0x6e,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x03,0x13,0x0a,0x47,
        0x6c,0x6f,0x62,0x61,0x6c,0x53,0x69,0x67,0x6e,0x30,0x1e,0x17,0x0d,0x31,0x37,0x30,
        0x36,0x31,0x35,0x30,0x30,0x30,0x30,0x34,0x32,0x5a,0x17,0x0d,0x32,0x31,0x31,0x32,
        0x31,0x35,0x30,0x30,0x30,0x30,0x34,0x32,0x5a,0x30,0x42,0x31,0x0b,0x30,0x09,0x06,
        0x03,0x55,0x04,0x06,0x13,0x02,0x55,0x53,0x31,0x1e,0x30,0x1c,0x06,0x03,0x55,0x04,
        0x0a,0x13,0x15,0x47,0x6f,0x6f,0x67,0x6c,0x65,0x20,0x54,0x72,0x75,0x73,0x74,0x20,
        0x53,0x65,0x72,0x76,0x69,0x63,0x65,0x73,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,
        0x03,0x13,0x0a,0x47,0x54,0x53,0x20,0x43,0x41,0x20,0x31,0x4f,0x31,0x30,0x82,0x01,
        0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x01,0x05,0x00,
        0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,0x01,0x01,0x00,0xd0,0x18,
        0xcf,0x45,0xd4,0x8b,0xcd,0xd3,0x9c,0xe4,0x40,0xef,0x7e,0xb4,0xdd,0x69,0x21,0x1b,
        0xc9,0xcf,0x3c,0x8e,0x4c,0x75,0xb9,0x0f,0x31,0x19,0x84,0x3d,0x9e,0x3c,0x29,0xef,
        0x50,0x0d,0x10,0x93,0x6f,0x05,0x80,0x80,0x9f,0x2a,0xa0,0xbd,0x12,0x4b,0x02,0xe1,
        0x3d,0x9f,0x58,0x16,0x24,0xfe,0x30,0x9f,0x0b,0x74,0x77,0x55,0x93,0x1d,0x4b,0xf7,
        0x4d,0xe1,0x92,0x82,0x10,0xf6,0x51,0xac,0x0c,0xc3,0xb2,0x22,0x94,0x0f,0x34,0x6b,
        0x98,0x10,0x49,0xe7,0x0b,0x9d,0x83,0x39,0xdd,0x20,0xc6,0x1c,0x2d,0xef,0xd1,0x18,
        0x61,0x65,0xe7,0x23,0x83,0x20,0xa8,0x23,0x12,0xff,0xd2,0x24,0x7f,0xd4,0x2f,0xe7,
        0x44,0x6a,0x5b,0x4d,0xd7,0x50,0x66,0xb0,0xaf,0x9e,0x42,0x63,0x05,0xfb,0xe0,0x1c,
        0xc4,0x63,0x61,0xaf,0x9f,0x6a,0x33,0xff,0x62,0x97,0xbd,0x48,0xd9,0xd3,0x7c,0x14,
        0x67,0xdc,0x75,0xdc,0x2e,0x69,0xe8,0xf8,0x6d,0x78,0x69,0xd0,0xb7,0x10,0x05,0xb8,
        0xf1,0x31,0xc2,0x3b,0x24,0xfd,0x1a,0x33,0x74,0xf8,0x23,0xe0,0xec,0x6b,0x19,0x8a,
        0x16,0xc6,0xe3,0xcd,0xa4,0xcd,0x0b,0xdb,0xb3,0xa4,0x59,0x60,0x38,0x88,0x3b,0xad,
        0x1d,0xb9,0xc6,0x8c,0xa7,0x53,0x1b,0xfc,0xbc,0xd9,0xa4,0xab,0xbc,0xdd,0x3c,0x61,
        0xd7,0x93,0x15,0x98,0xee,0x81,0xbd,0x8f,0xe2,0x64,0x47,0x20,0x40,0x06,0x4e,0xd7,
        0xac,0x97,0xe8,0xb9,0xc0,0x59,0x12,0xa1,0x49,0x25,0x23,0xe4,0xed,0x70,0x34,0x2c,
        0xa5,0xb4,0x63,0x7c,0xf9,0xa3,0x3d,0x83,0xd1,0xcd,0x6d,0x24,0xac,0x07,0x02,0x03,
        0x01,0x00,0x01,0xa3,0x82,0x01,0x33,0x30,0x82,0x01,0x2f,0x30,0x0e,0x06,0x03,0x55,
        0x1d,0x0f,0x01,0x01,0xff,0x04,0x04,0x03,0x02,0x01,0x86,0x30,0x1d,0x06,0x03,0x55,
        0x1d,0x25,0x04,0x16,0x30,0x14,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x01,
        0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x03,0x02,0x30,0x12,0x06,0x03,0x55,0x1d,
        0x13,0x01,0x01,0xff,0x04,0x08,0x30,0x06,0x01,0x01,0xff,0x02,0x01,0x00,0x30,0x1d,
        0x06,0x03,0x55,0x1d,0x0e,0x04,0x16,0x04,0x14,0x98,0xd1,0xf8,0x6e,0x10,0xeb,0xcf,
        0x9b,0xec,0x60,0x9f,0x18,0x90,0x1b,0xa0,0xeb,0x7d,0x09,0xfd,0x2b,0x30,0x1f,0x06,
        0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x9b,0xe2,0x07,0x57,0x67,0x1c,
        0x1e,0xc0,0x6a,0x06,0xde,0x59,0xb4,0x9a,0x2d,0xdf,0xdc,0x19,0x86,0x2e,0x30,0x35,
        0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x01,0x01,0x04,0x29,0x30,0x27,0x30,0x25,
        0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x30,0x01,0x86,0x19,0x68,0x74,0x74,0x70,
        0x3a,0x2f,0x2f,0x6f,0x63,0x73,0x70,0x2e,0x70,0x6b,0x69,0x2e,0x67,0x6f,0x6f,0x67,
        0x2f,0x67,0x73,0x72,0x32,0x30,0x32,0x06,0x03,0x55,0x1d,0x1f,0x04,0x2b,0x30,0x29,
        0x30,0x27,0xa0,0x25,0xa0,0x23,0x86,0x21,0x68,0x74,0x74,0x70,0x3a,0x2f,0x2f,0x63,
        0x72,0x6c,0x2e,0x70,0x6b,0x69,0x2e,0x67,0x6f,0x6f,0x67,0x2f,0x67,0x73,0x72,0x32,
        0x2f,0x67,0x73,0x72,0x32,0x2e,0x63,0x72,0x6c,0x30,0x3f,0x06,0x03,0x55,0x1d,0x20,
        0x04,0x38,0x30,0x36,0x30,0x34,0x06,0x06,0x67,0x81,0x0c,0x01,0x02,0x02,0x30,0x2a,
        0x30,0x28,0x06,0x08,0x2b,0x06,0x01,0x05,0x05,0x07,0x02,0x01,0x16,0x1c,0x68,0x74,
        0x74,0x70,0x73,0x3a,0x2f,0x2f,0x70,0x6b,0x69,0x2e,0x67,0x6f,0x6f,0x67,0x2f,0x72,
        0x65,0x70,0x6f,0x73,0x69,0x74,0x6f,0x72,0x79,0x2f,0x30,0x0d,0x06,0x09,0x2a,0x86,
        0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,0x00,0x1a,0x80,
        0x3e,0x36,0x79,0xfb,0xf3,0x2e,0xa9,0x46,0x37,0x7d,0x5e,0x54,0x16,0x35,0xae,0xc7,
        0x4e,0x08,0x99,0xfe,0xbd,0xd1,0x34,0x69,0x26,0x52,0x66,0x07,0x3d,0x0a,0xba,0x49,
        0xcb,0x62,0xf4,0xf1,0x1a,0x8e,0xfc,0x11,0x4f,0x68,0x96,0x4c,0x74,0x2b,0xd3,0x67,
        0xde,0xb2,0xa3,0xaa,0x05,0x8d,0x84,0x4d,0x4c,0x20,0x65,0x0f,0xa5,0x96,0xda,0x0d,
        0x16,0xf8,0x6c,0x3b,0xdb,0x6f,0x04,0x23,0x88,0x6b,0x3a,0x6c,0xc1,0x60,0xbd,0x68,
        0x9f,0x71,0x8e,0xee,0x2d,0x58,0x34,0x07,0xf0,0xd5,0x54,0xe9,0x86,0x59,0xfd,0x7b,
        0x5e,0x0d,0x21,0x94,0xf5,0x8c,0xc9,0xa8,0xf8,0xd8,0xf2,0xad,0xcc,0x0f,0x1a,0xf3,
        0x9a,0xa7,0xa9,0x04,0x27,0xf9,0xa3,0xc9,0xb0,0xff,0x02,0x78,0x6b,0x61,0xba,0xc7,
        0x35,0x2b,0xe8,0x56,0xfa,0x4f,0xc3,0x1c,0x0c,0xed,0xb6,0x3c,0xb4,0x4b,0xea,0xed,
        0xcc,0xe1,0x3c,0xec,0xdc,0x0d,0x8c,0xd6,0x3e,0x9b,0xca,0x42,0x58,0x8b,0xcc,0x16,
        0x21,0x17,0x40,0xbc,0xa2,0xd6,0x66,0xef,0xda,0xc4,0x15,0x5b,0xcd,0x89,0xaa,0x9b,
        0x09,0x26,0xe7,0x32,0xd2,0x0d,0x6e,0x67,0x20,0x02,0x5b,0x10,0xb0,0x90,0x09,0x9c,
        0x0c,0x1f,0x9e,0xad,0xd8,0x3b,0xea,0xa1,0xfc,0x6c,0xe8,0x10,0x5c,0x08,0x52,0x19,
        0x51,0x2a,0x71,0xbb,0xac,0x7a,0xb5,0xdd,0x15,0xed,0x2b,0xc9,0x08,0x2a,0x2c,0x8a,
        0xb4,0xa6,0x21,0xab,0x63,0xff,0xd7,0x52,0x49,0x50,0xd0,0x89,0xb7,0xad,0xf2,0xaf,
        0xfb,0x50,0xae,0x2f,0xe1,0x95,0x0d,0xf3,0x46,0xad,0x9d,0x9c,0xf5,0xca
    },
    1102
  }
};

#define NB_NUM_ROOT_CERTS (sizeof(NB_ROOT_CERTS) / sizeof(NB_ROOT_CERTS[0]))

#endif

Reply all
Reply to author
Forward
0 new messages