We’re experiencing certificate validation failures when provisioning devices through MQTT integration with TLS enabled. Devices connect successfully over non-secure MQTT, but when we enable TLS for production deployment, the MQTT TLS handshake fails during device provisioning.
The error occurs specifically during the initial connection when the device attempts to provision itself:
MQTT Connection Failed: TLS handshake error
Certificate verification failed: unable to get local issuer certificate
Connection attempt to ssl://messaging.internetofthings.ibmcloud.com:8883
We’re using custom CA certificates for our device fleet rather than the default Watson IoT certificates. The CA cert has been imported to the platform, but devices still can’t complete the handshake. Has anyone successfully configured custom CA certificate chains for MQTT provisioning with TLS?
Check if you uploaded the CA certificate to the correct organization in Watson IoT. The platform is multi-tenant and CA certs are organization-scoped. Also verify the certificate format - it needs to be PEM encoded with proper BEGIN/END markers. I’ve seen issues where certificates exported in DER format cause handshake failures even though they appear valid.
I’ve verified the certificate chain is complete and the CA is uploaded to the correct organization. The device certificates are definitely signed by our custom CA. Could this be related to certificate trust store configuration on the Watson IoT side? Do I need to explicitly enable custom CA validation somewhere in the MQTT connection settings?
The certificate error during MQTT device provisioning with TLS involves three critical configuration areas that must all be properly set up:
MQTT TLS Handshake Configuration:
The TLS handshake failure indicates a certificate chain validation issue during the initial MQTT connection. Watson IoT v25 requires complete certificate chain validation for secure MQTT connections. The error ‘unable to get local issuer certificate’ specifically means the platform cannot verify your device certificate back to a trusted root CA.
First, verify your connection string uses the correct secure port and protocol:
Note the ‘mqtts’ protocol prefix - using ‘ssl’ in your connection string (as shown in your error) can cause handshake issues with certain MQTT client libraries.
Custom CA Certificate Import:
Importing the CA certificate to Watson IoT requires more than just uploading the file. Follow this complete process:
Ensure your CA certificate is in PEM format with proper encoding:
Upload the complete certificate chain, not just the root CA. If your CA structure is: Root CA > Intermediate CA > Device Cert, you must upload both Root and Intermediate certificates to Watson IoT.
After upload, enable the CA for MQTT connections: Navigate to Security > Certificate Authorities > [Your CA] > Protocols and explicitly enable ‘MQTT’ in the allowed protocols list. By default, uploaded CAs are not enabled for any protocols.
Set the CA trust level to ‘Device Authentication’ rather than just ‘TLS Connection’ - this ensures the platform validates device certificates during provisioning, not just during data transmission.
Device Trust Store Update:
Your devices need properly configured trust stores to complete the TLS handshake. The trust store must contain:
Watson IoT’s server certificate chain (for verifying the platform during handshake)
Your custom CA certificate (for the platform to verify back to your devices)
Any intermediate certificates in your CA chain
Update device trust stores with this certificate bundle structure:
# Combined trust store (PEM format)
# Watson IoT Server Cert Chain
-----BEGIN CERTIFICATE-----
[Watson IoT Server Cert]
-----END CERTIFICATE-----
# Your Custom CA Root
-----BEGIN CERTIFICATE-----
[Your CA Root Cert]
-----END CERTIFICATE-----
# Your CA Intermediate (if applicable)
-----BEGIN CERTIFICATE-----
[Your CA Intermediate Cert]
-----END CERTIFICATE-----
Additionally, verify your MQTT client configuration specifies the trust store location and enables certificate verification:
Set TLS version to 1.2 minimum (Watson IoT rejects TLS 1.0/1.1)
Enable certificate hostname verification
Provide client certificate + private key for mutual TLS authentication
After configuring all three areas, test the connection with verbose logging enabled on your MQTT client to see exactly where in the handshake process validation occurs. The combination of proper CA upload, protocol enablement, and complete device trust store configuration should resolve the certificate verification failures during MQTT provisioning.