I’m having issues registering IoT devices via MQTT when using our company’s custom CA certificates. The device onboarding process fails during SSL handshake with a certificate validation error.
We’re running Oracle IoT Cloud Platform 22.x and trying to establish mutual TLS (mTLS) connections for enhanced security. Our devices have certificates signed by our internal CA, and I’ve imported the custom CA certificate chain into the platform.
Error from device logs:
SSL handshake failed: certificate verify failed
MQTT connection refused (5)
Device registration blocked - trust chain invalid
The device registry trust configuration seems correct in the console, but devices still can’t establish secure connections. Has anyone successfully configured custom CA certificates for MQTT device registration with mTLS? What am I missing in the trust chain setup?
I’ve seen this before. The issue is usually with the certificate chain order or missing intermediate certificates. When you imported your custom CA, did you include all intermediate CAs in the chain? Oracle IoT requires the complete trust path from device cert to root CA.
The trust configuration happens at the device model level in the registry. Navigate to Devices > Device Models > Security Policies. You need to explicitly enable custom CA trust there. Also check that your MQTT endpoint configuration has mTLS enabled, not just standard TLS. The error code 5 suggests the broker is rejecting the client cert during the handshake phase, which points to trust store configuration rather than the device certificate itself.
Adding to what others said - the certificate format matters too. Oracle IoT expects PEM format with proper BEGIN/END markers. I’ve seen issues where certificates exported from Windows systems had extra carriage returns that broke parsing. Also verify the certificate’s Key Usage extensions include ‘Digital Signature’ and ‘Key Encipherment’ for client authentication.