Problem with certificate-based authentication

Hello everyone,

I’m new to golioth and have a problem with certificate-based authentication. I have followed the instructions

and set up the certificates. I also uploaded the golioth.crt.pem to golioth. If I now try to connect with e.g. the java cf-client, there is a problem in the DTLS handshake. I recorded the connection setup once with Wireshark.

What am I doing wrong? can anyone help me

Thank you in advance

Hi @Soeren, this looks like your cf-client is having trouble validating the Golioth server certificate (see Alert should be BAD_CERTIFICATE instead of DECRYPT_ERROR when certificate chain can't be validated · Issue #2132 · eclipse-californium/californium · GitHub for discussion on Decrypt Error being used when certificate chain cannot be validated). Are you able to share how you are configuring your client’s trust store?

Hi @hasheddan,

thank you very much for your quick answer! After creating the certificates, I converted the certificate as a .p12 and imported it into the keytore.

openssl pkcs12 -export -in projectid-deviceid.crt.pem -inkey projectid-deviceid.key.pem -name golioth -out goliothClient.p12

keytool -v -importkeystore -srckeystore goliothClient.p12 -srcstoretype PKCS12 -destkeystore /etc/ssl/certs/java/cacerts -deststoretype JKS

In connection I have the Cf-Client with the parameter

-c /etc/ssl/certs/java/cacerts#hashedpw#hashedpw#golioth


I hope it is described understandably

@Soeren that looks good from the client certs perspective (i.e. keystore), but I believe the issue you are facing is that the client (cf-client) is unable to validate the certificate supplied by the server (golioth). You should be able to configure this using the -t, --trusts=<trusted> flag or, alternatively if you are just testing, --trust-all. (options found in