Security policy blocks device registration due to certificate mismatch in IoT Core

IoT Google Cloud IoT
, , , , , , , ,
1

Device registration requests are rejected by the security policy after we updated our certificate validation rules. New devices can’t be onboarded and production is blocked.

We recently updated our IoT Core security policy to enforce stricter X.509 certificate validation. The goal was to prevent devices with expired or self-signed certificates from registering. However, now even devices with valid certificates from our trusted CA are being rejected:


Error: Certificate validation failed
device_id: sensor-warehouse-451
ca_fingerprint: A3:4F:...:D2
reason: certificate chain validation error

Our trusted CA configuration hasn’t changed, and these same certificates were working fine before the policy update. The certificates are valid, not expired, and properly signed by our internal CA. We’re stuck - can’t onboard new devices and can’t roll back the policy because it fixed other security issues. Need help understanding what certificate validation changed and how to fix the CA configuration.

2

Your security policy update exposed an incomplete certificate configuration. Here’s the systematic fix for all three focus areas:

X.509 Certificate Validation Requirements: The updated security policy now enforces RFC 5280 certificate chain validation, which is stricter than the previous validation. Every certificate in the chain must meet these requirements:

  1. Valid signature from the issuing CA
  2. Not expired and within validity period
  3. Correct key usage extensions
  4. No revoked certificates (if CRL/OCSP is configured)
  5. Subject matches expected pattern

Your error indicates the chain validation is failing. Verify your device certificates with:


openssl verify -CAfile ca-chain.pem device-cert.pem

If this fails locally, it will fail in IoT Core. The most common issue is that device certificates were signed by an intermediate CA, but only the root CA was uploaded to IoT Core.

Trusted CA Configuration: You need to upload the complete CA certificate chain to your IoT Core registry. Here’s the correct procedure:

  1. Export your complete CA chain:

# Concatenate root and intermediate CAs
cat intermediate-ca.pem root-ca.pem > ca-chain.pem
  1. Add the complete chain to IoT Core:

gcloud iot registries credentials create \
  --registry=REGISTRY_NAME \
  --region=REGION \
  --path=ca-chain.pem
  1. Verify the upload:

gcloud iot registries describe REGISTRY_NAME --region=REGION

Look for multiple credentials entries - you should see both root and intermediate CAs listed with their fingerprints.

Policy Update Process: Your security policy update should have included these steps:

  1. Test in a non-production registry first
  2. Upload all required CA certificates before enabling strict validation
  3. Verify existing devices can still connect
  4. Then enable the new policy

To fix your current situation without rolling back:

  1. Create a temporary security policy that allows both old and new validation rules
  2. Upload the missing intermediate CA certificates
  3. Test device registration with the complete chain
  4. Once confirmed working, remove the temporary policy

For the certificate chain validation error specifically, check these common issues:

  • Intermediate CA missing: Add all intermediate CAs to the registry
  • Wrong certificate order: Chain must be device → intermediate → root
  • Key usage mismatch: Intermediate CA must have keyCertSign enabled
  • Extended key usage: CA certificates need serverAuth or clientAuth
  • Basic constraints: CA certificates must have CA:TRUE

Verify your intermediate CA has correct extensions:


openssl x509 -in intermediate-ca.pem -text -noout | grep -A 5 "X509v3"

You should see:


X509v3 Basic Constraints: critical
    CA:TRUE
X509v3 Key Usage: critical
    Certificate Sign, CRL Sign

If your intermediate CA is missing these extensions, you’ll need to reissue it with correct attributes. This is a PKI infrastructure issue, not just an IoT Core configuration problem.

One critical point: the security policy validation happens at registration time AND at connection time. Even if you fix registration, existing devices might fail to connect if their certificates don’t meet the new validation rules. Plan a certificate rotation for all devices to ensure compliance.

Monitor certificate validation failures with this Cloud Logging query:


resource.type="cloudiot_device"
jsonPayload.eventType="CERTIFICATE_VALIDATION_ERROR"

This will show you exactly which devices and which validation rules are failing.

3

The certificate chain validation error suggests your CA certificate isn’t in the IoT Core trusted CA list. When you updated the security policy, did you also update the registry’s CA certificates? You need to explicitly add your CA’s public certificate to the registry configuration.

4

Use gcloud iot registries describe to list all CA certificates in your registry. Compare the fingerprints with your actual CA chain. Also check the certificate’s key usage and extended key usage fields - IoT Core enforces that CA certificates have the correct usage flags set. Your intermediate CA must have ‘keyCertSign’ in key usage and ‘serverAuth’ or ‘clientAuth’ in extended key usage.

5

Another thing to check: certificate validity dates. Even if the device certificate isn’t expired, if any certificate in the chain (root, intermediate) is expired or not yet valid, the entire chain fails validation. Also verify that the device certificate’s Common Name or Subject Alternative Name matches the device ID you’re trying to register.

6

Emma, the CA certificate is definitely in the registry - I can see it in the console. Marco, we do have an intermediate CA. Let me check if we uploaded the full chain or just the root. How do I verify what certificates IoT Core has?