CA file format for TLS - .der or .pem?

[chainhead]

I am trying to connect to Watson IoT platform via MQTT TLS. There is no client side authentication. The board requires that the certificates be flashed in .der format. The connection keeps failing with an error code corresponding to 'Bad CA file'. As part of investigation, I looked into the output of openssl s_client connect. It seems the connection goes fine with .pem format but not with .der format.

What certificate should be used on the board?

Download certificates

echo | openssl s_client -connect {orgId}.messaging.internetofthings.ibmcloud.com:8883 -showcerts 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > orgId.messaging.internetofthings.ibmcloud.com.pem

Convert format

openssl x509 -inform pem -in orgId.messaging.internetofthings.ibmcloud.com.pem -outform der -out ca.der

openssl with .pem file

openssl s_client -connect orgId.messaging.internetofthings.ibmcloud.com:8883 -CAfile orgId.messaging.internetofthings.ibmcloud.com.pem
     CONNECTED(00000003)
     depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
     verify return:1
     depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
     verify return:1
     depth=0 C = GB, L = Winchester, O = International Business Machines Corp., OU = Watson IoT, CN = *.messaging.internetofthings.ibmcloud.com
     verify return:1
     ---
     Certificate chain
      0 s:/C=GB/L=Winchester/O=International Business Machines Corp./OU=Watson IoT/CN=*.messaging.internetofthings.ibmcloud.com
        i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
      1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
        i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
      2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
        i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
     ---
     Server certificate
     -----BEGIN CERTIFICATE-----
     MIIFjjCCBHagAwIBAgIQBDhs4xwX8U53a4X/Eu2ydTANBgkqhkiG9w0BAQsFADBN
     MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
     aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcxMDIwMDAwMDAwWhcN
     MjEwMTA2MTIwMDAwWjCBmzELMAkGA1UEBhMCR0IxEzARBgNVBAcTCldpbmNoZXN0
     ZXIxLjAsBgNVBAoTJUludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGluZXMgQ29y
     cC4xEzARBgNVBAsTCldhdHNvbiBJb1QxMjAwBgNVBAMMKSoubWVzc2FnaW5nLmlu
     dGVybmV0b2Z0aGluZ3MuaWJtY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
     AQ8AMIIBCgKCAQEAtkFprFEGn/3D4PpShvthi1RySonpvPL5S6/33rP9HH+pZRTh
     nTRd9kTQWGQrzS+bpGKwqIX6G+FixY1G08CDa+/JejLT1BiGAXCYY54/OCg7WvBr
     8feZ9mnK9GtBXArF0u2TPdFTObXlE9ZBj5BDx9+5CS3Y0Grc9/Yg7S19JulhH37Z
     Rxj1K0iCLJnUNWuDwmXtCAvv/nMQ00upmNX4po+Jfo17bqmyGrvZWdJpFquWQlC2
     lzUkQ3clzc9kwfu/mfHdgS55IloU4CwF+9nAkBSDhX8YQeJmZf3KDMIXoAhplrpA
     id221QNDKEfToE5ZGJcN9zhdrb+ZFInu7w66eQIDAQABo4ICGTCCAhUwHwYDVR0j
     BBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFF6uJ2Mig7JY8gVI
     z2+cxymckEhoMF0GA1UdEQRWMFSCKSoubWVzc2FnaW5nLmludGVybmV0b2Z0aGlu
     Z3MuaWJtY2xvdWQuY29tgidtZXNzYWdpbmcuaW50ZXJuZXRvZnRoaW5ncy5pYm1j
     bG91ZC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
     BgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5j
     b20vc3NjYS1zaGEyLWcxLmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQu
     Y29tL3NzY2Etc2hhMi1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAo
     BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwB
     AgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
     Y2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
     bS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADAN
     BgkqhkiG9w0BAQsFAAOCAQEAypUUqSbQTdPiVSfj8lfRWb6l3Xu1ep2MFAzNNj+3
     5VevuLFunZQis9ejyIpx9m6gnmDoE2jIGfF4QxRy8BUj6bvxcs3wEsZkU3BU11X2
     JljG36o4qi8ExB1LGlCfvZ7IrslXV3Awc13QaDVKv1slSeWh5E90tvvG5tWbJKqb
     zXvI08+sE06By0QCCw621VyRfuR3CaFFfOiFWoeNZrWa2SgGVQj9KnQokj7Rllt+
     Lp7//edKPhoeWdUeygze+RdO3MoS7+5IfJCPNl4bl9M1/xmVWAYwLLRLA39foJig
     qhVAoFQ7/x3chbW/t0kzwtv67wj3odY3F9DlqXLGnCt4IA==
     -----END CERTIFICATE-----
     subject=/C=GB/L=Winchester/O=International Business Machines Corp./OU=Watson IoT/CN=*.messaging.internetofthings.ibmcloud.com
     issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
     ---
     No client certificate CA names sent
     ---
     SSL handshake has read 4214 bytes and written 421 bytes
     ---
     New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
     Server public key is 2048 bit
     Secure Renegotiation IS supported
     Compression: NONE
     Expansion: NONE
     SSL-Session:
         Protocol  : TLSv1.2
         Cipher    : ECDHE-RSA-AES256-GCM-SHA384
         Session-ID: 6D29ED3626579D48A69326228387A48901E405C893FEE7FD241D45D6AF954DF4
         Session-ID-ctx: 
         Master-Key: CD1D2FCA9819A21365B7C05E197C6A4EB00383C8C81200A67E918A92E5C614BACB030FEDBC68DF3863D873F0C013076E
         Key-Arg   : None
         PSK identity: None
         PSK identity hint: None
         SRP username: None
         TLS session ticket lifetime hint: 300 (seconds)
         TLS session ticket:
         0000 - b5 f5 a9 5f 07 86 dc e1-e4 10 78 fa 9c ff 9c e1   ..._......x.....
         0010 - 58 50 6e bd fa ef 01 c7-f2 3c 45 b0 0c 1e 29 64   XPn......<E...)d
         0020 - c1 24 c8 00 6a f8 ce 21-e1 66 b1 68 10 c9 c1 0b   .$..j..!.f.h....
         0030 - d5 f2 f1 f9 1d 05 37 7d-cd 9e 1d fe 7c 48 22 02   ......7}....|H".
         0040 - 11 6f 21 5e f4 93 35 d6-1a cb 3d e3 df 1d 5f 86   .o!^..5...=..._.
         0050 - a3 c7 eb ec e2 f4 1c ac-f5 18 4e b0 66 9a 3e 05   ..........N.f.>.
         0060 - 64 96 7f 7f 11 5b 0c e7-c2 45 80 40 2d 86 d5 29   d....[...E.@-..)
         0070 - d4 d0 f2 a0 6e 85 5b a8-22 7e c6 c0 28 d4 87 c0   ....n.[."~..(...
         0080 - aa aa 07 ad 22 89 d5 26-1e fa 9a 4a b7 bf d4 82   ...."..&...J....
         0090 - f1 a0 59 b3 3a 84 40 da-f8 6b 73 28 97 55 c4 a3   ..Y.:.@..ks(.U..

         Start Time: 1531983360
         Timeout   : 300 (sec)
         Verify return code: 0 (ok)
     ---

openssl with .der file

openssl s_client -connect orgId.messaging.internetofthings.ibmcloud.com:8883 -CAfile ca.der
 CONNECTED(00000003)
 depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
 verify error:num=19:self signed certificate in certificate chain
 verify return:0
 ---
 Certificate chain
  0 s:/C=GB/L=Winchester/O=International Business Machines Corp./OU=Watson IoT/CN=*.messaging.internetofthings.ibmcloud.com
    i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
  1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
  2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
    i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 ---
 Server certificate
 -----BEGIN CERTIFICATE-----
 MIIFjjCCBHagAwIBAgIQBDhs4xwX8U53a4X/Eu2ydTANBgkqhkiG9w0BAQsFADBN
 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
 aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTcxMDIwMDAwMDAwWhcN
 MjEwMTA2MTIwMDAwWjCBmzELMAkGA1UEBhMCR0IxEzARBgNVBAcTCldpbmNoZXN0
 ZXIxLjAsBgNVBAoTJUludGVybmF0aW9uYWwgQnVzaW5lc3MgTWFjaGluZXMgQ29y
 cC4xEzARBgNVBAsTCldhdHNvbiBJb1QxMjAwBgNVBAMMKSoubWVzc2FnaW5nLmlu
 dGVybmV0b2Z0aGluZ3MuaWJtY2xvdWQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
 AQ8AMIIBCgKCAQEAtkFprFEGn/3D4PpShvthi1RySonpvPL5S6/33rP9HH+pZRTh
 nTRd9kTQWGQrzS+bpGKwqIX6G+FixY1G08CDa+/JejLT1BiGAXCYY54/OCg7WvBr
 8feZ9mnK9GtBXArF0u2TPdFTObXlE9ZBj5BDx9+5CS3Y0Grc9/Yg7S19JulhH37Z
 Rxj1K0iCLJnUNWuDwmXtCAvv/nMQ00upmNX4po+Jfo17bqmyGrvZWdJpFquWQlC2
 lzUkQ3clzc9kwfu/mfHdgS55IloU4CwF+9nAkBSDhX8YQeJmZf3KDMIXoAhplrpA
 id221QNDKEfToE5ZGJcN9zhdrb+ZFInu7w66eQIDAQABo4ICGTCCAhUwHwYDVR0j
 BBgwFoAUD4BhHIIxYdUvKOeNRji0LOHG2eIwHQYDVR0OBBYEFF6uJ2Mig7JY8gVI
 z2+cxymckEhoMF0GA1UdEQRWMFSCKSoubWVzc2FnaW5nLmludGVybmV0b2Z0aGlu
 Z3MuaWJtY2xvdWQuY29tgidtZXNzYWdpbmcuaW50ZXJuZXRvZnRoaW5ncy5pYm1j
 bG91ZC5jb20wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5j
 b20vc3NjYS1zaGEyLWcxLmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQu
 Y29tL3NzY2Etc2hhMi1nMS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAo
 BggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwB
 AgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
 Y2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNv
 bS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADAN
 BgkqhkiG9w0BAQsFAAOCAQEAypUUqSbQTdPiVSfj8lfRWb6l3Xu1ep2MFAzNNj+3
 5VevuLFunZQis9ejyIpx9m6gnmDoE2jIGfF4QxRy8BUj6bvxcs3wEsZkU3BU11X2
 JljG36o4qi8ExB1LGlCfvZ7IrslXV3Awc13QaDVKv1slSeWh5E90tvvG5tWbJKqb
 zXvI08+sE06By0QCCw621VyRfuR3CaFFfOiFWoeNZrWa2SgGVQj9KnQokj7Rllt+
 Lp7//edKPhoeWdUeygze+RdO3MoS7+5IfJCPNl4bl9M1/xmVWAYwLLRLA39foJig
 qhVAoFQ7/x3chbW/t0kzwtv67wj3odY3F9DlqXLGnCt4IA==
 -----END CERTIFICATE-----
 subject=/C=GB/L=Winchester/O=International Business Machines Corp./OU=Watson IoT/CN=*.messaging.internetofthings.ibmcloud.com
 issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
 ---
 No client certificate CA names sent
 ---
 SSL handshake has read 4214 bytes and written 421 bytes
 ---
 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
 Server public key is 2048 bit
 Secure Renegotiation IS supported
 Compression: NONE
 Expansion: NONE
 SSL-Session:
     Protocol  : TLSv1.2
     Cipher    : ECDHE-RSA-AES256-GCM-SHA384
     Session-ID: 2D805074BF82B1293D0DA2CD22824D1891EF7D00DAF460F1338465A7F78AA7DC
     Session-ID-ctx: 
     Master-Key: 11353A957EBC036430680C9D9D20851CBC36969EE895BD4F675F0926B108B302AC455E44C424B59CBC22B481840247A2
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     TLS session ticket lifetime hint: 300 (seconds)
     TLS session ticket:
     0000 - 79 ed b3 3d af 4c 33 35-7e 69 bf c9 6e 11 48 a0   y..=.L35~i..n.H.
     0010 - 65 76 49 6d 8b fd 06 fd-d5 07 43 20 d0 47 ef 82   evIm......C .G..
     0020 - 3b 01 b7 30 c2 99 e6 5a-3c 64 d8 f2 95 db 4b 4c   ;..0...Z<d....KL
     0030 - 22 eb 30 94 36 ac bc 42-63 0e 2b 67 04 b2 64 df   ".0.6..Bc.+g..d.
     0040 - 9e f7 eb ce 32 02 84 6f-7f 65 8f 97 54 be 80 ac   ....2..o.e..T...
     0050 - bb a9 74 70 a8 ec 8f 4d-b9 6a be f4 e9 4d 52 ae   ..tp...M.j...MR.
     0060 - af 02 5e 71 85 c4 dc 52-58 d0 cd af 6b f0 a1 99   ..^q...RX...k...
     0070 - fc 07 2b 89 c3 4f 96 14-63 2b 42 d0 01 b7 54 fc   ..+..O..c+B...T.
     0080 - 11 93 07 52 b5 78 5f 6a-41 45 cd c3 a0 74 27 14   ...R.x_jAE...t'.
     0090 - 06 84 67 d0 1b 3e 82 d1-df f8 3c 2f 90 9d ea 46   ..g..>....</...F

     Start Time: 1531983434
     Timeout   : 300 (sec)
     Verify return code: 19 (self signed certificate in certificate chain)

[icraggs]

This is a question not directly the responsibility of this library.