Debug AWS_IO_FILE_VALIDATION_FAILURE while trying to connect to aws IoT with custom client certificate


I failed to run the sample code for basic_connect.

While running it with the following argument:
basic_connect.exe --client_id "ME" --endpoint "*" --cert "<>/MyCertificate.crt" --key "<>/MyPrivate.key" --verbosity "Debug"

i receive the following output:

[DEBUG] [2022-09-29T13:02:54Z] [00001648] [mqtt-client] - client=*: Initalizing MQTT client
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: This library was built with Windows 8.1 or later, probing OS to see what we're actually running on.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: We're running on Windows 8.1 or later. ALPN is available.
[DEBUG] [2022-09-29T13:02:56Z] [00001648] [tls-handler] - static: certificate and key have been set, setting them up now.
[INFO] [2022-09-29T13:02:56Z] [00001648] [pki-utils] - static: loading certificate chain with 1 certificates.
[ERROR] [2022-09-29T13:03:04Z] [00001648] [pki-utils] - static: no acceptable private key found, error AWS_IO_FILE_VALIDATION_FAILURE
[ERROR] [2022-09-29T13:03:04Z] [00001648] [tls-handler] - static: failed to import certificate and private key with error 1038.
Client Configuration initialization failed with error aws-c-io: AWS_IO_FILE_VALIDATION_FAILURE, A file was read and the input did not match the expected value

I have been trying to follow this AWS_IO_FILE_VALIDATION_FAILURE, and i endup with the following callstack:

	basic-connect.exe!aws_import_key_pair_to_cert_context(aws_allocator * alloc, const aws_byte_cursor * public_cert_chain, const aws_byte_cursor * private_key, bool is_client_mode, void * * store, const _CERT_CONTEXT * * certs, unsigned __int64 * crypto_provider, unsigned __int64 * private_key_handle) Line 691	C
 	basic-connect.exe!s_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options, bool is_client_mode) Line 2010	C
 	basic-connect.exe!aws_tls_client_ctx_new(aws_allocator * alloc, const aws_tls_ctx_options * options) Line 2044	C
 	basic-connect.exe!Aws::Crt::Io::TlsContext::TlsContext(Aws::Crt::Io::TlsContextOptions & options, Aws::Crt::Io::TlsMode mode, aws_allocator * allocator) Line 423	C++
 	basic-connect.exe!Aws::Iot::MqttClientConnectionConfigBuilder::Build() Line 493	C++
 	basic-connect.exe!Utils::CommandLineUtils::GetClientConnectionForMQTTConnection(Aws::Iot::MqttClient * client, Aws::Iot::MqttClientConnectionConfigBuilder * clientConfigBuilder) Line 542	C++
 	basic-connect.exe!Utils::CommandLineUtils::BuildDirectMQTTConnection(Aws::Iot::MqttClient * client) Line 459	C++
 	basic-connect.exe!main(int argc, char * * argv) Line 41	C++
 	[External Code]	

None of the call to CryptDecodeObjectEx will succeed in the function aws_import_key_pair_to_cert_context. It sounds like there is a problem with my private key which i generated as follow:
openssl req -newkey rsa:4096 -sha256 -nodes -keyout MyPrivate.key -out MyRequest.csr -config MyConfig.cnf

I am not sure to understand what this function is meant to do and what is wrong with my key. I am using win10 with msbuild (tryied in python as well).

2 Answers
Accepted Answer

Hi. Your openssl command is generating a PEM key file in PKCS#8 format instead of the PKCS#1 format returned when AWS IoT Core generates the key. So your key file has a "BEGIN PRIVATE KEY" header instead of "BEGIN RSA PRIVATE KEY". I'm not familiar with CryptDecodeObjectEx(), but I think the PKCS_RSA_PRIVATE_KEY parameter might be demanding PKCS#1.

So you may find more success by generating your own key and certificate as documented here:

profile pictureAWS
answered 2 years ago


are you using really <> in your path? I assume you don't have a directory named <>?

Perhaps you should modify your command to look similar to (assuming you are in the same directory where your key/cert is stored):

basic_connect.exe --client_id "ME" --endpoint "*" --cert "MyCertificate.crt" --key "MyPrivate.key" --verbosity "Debug"

You need also to use a valid iot endpoint. In your case you need to replace * with the unique id of your endpoint.


answered 2 years ago
  • "<>" is not a valid path in windows. "<>" and "*" are just a replacement for the real values. I just don't want to share anything personal on the internet. The key is well loaded and as in my file "private.key" in aws_import_key_pair_to_cert_context arguments. It is CryptDecodeObjectEx which is failing on it. I want to understand why. The documentation specify well that aws support rsa + sh256, that should be provided in a PEM format.

  • You can find some information about troubleshooting connectivity at You can use openssl to validate if your certificate is working correctly.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions