Troubleshoot Amazon Private CA Matter-compliant certificate errors
The Matter connectivity
standard
To assist with troubleshooting, the Matter developers provide a certificate
verification tool called chip-cert
Error code | Meaning | Remediation |
---|---|---|
0x00000305 |
|
Ensure that you have selected the correct template for your use case. |
0x00000050 |
The authority key identifier extension must be present. |
Amazon Private CA does not set the authority key identifier extension on root certificates. You must generate a Base64-encoded AuthorityKeyIdentifier value using the CSR and then pass it through a CustomExtension. For more information, see Activate a Root CA for Node Operational Certificates (NOC). and Activate a Product Attestation Authority (PAA). |
0x0000004E | Certificate is expired. | Ensure that the certificate you use is unexpired. |
0x00000014 | Certificate chain validation failure. |
This error may be encountered if you attempt to create a Matter-compliant end-entity certificate without using the provided Java examples, which use the Amazon Private CA API to pass a properly configured KeyUsage. By default, Amazon Private CA generates nine-bit KeyUsage extension
values, with the ninth bit resulting in an extra byte. Matter
ignores the extra byte during format conversions, causing
chain-validation failures. However, a CustomExtension in the If you modify the sample code or use an alternative X.509 utility such as OpenSSL, you need to perform manual verification in order to avoid chain validation errors. To verify that conversions are lossless
|