AWS IoT Thing provisioning fails on Windows during certificate loading

Hello,

I have a problem during the provisioning of the IoT thing using claim certificates. We are using the fleet provisioning by claim mechanism. We are following the steps described in this PDF: https://d1.awsstatic.com/whitepapers/device-manufacturing-provisioning.pdf When we start the provisioning process, we are providing the AwsIotMqttConnectionBuilder with the claim certificate and claim private key(which are generated in previous step). The problem comes when we are building the MqttClientConnection with which to make the request to the AWS IoT core for the provisioning. Here is a detailed exception:

Exception occurred during fleet provisioning by claim
	at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:50)
	at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:60)
	at com.iav.de.ota.provisioning.ProvisioningFacade.provisionToDeviceManagementCloud(ProvisioningFacade.java:54)
	at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:39)
	at com.iav.de.ota.Main.main(Main.java:42)
Caused by: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_IO_FILE_VALIDATION_FAILURE(1038), A file was read and the input did not match the expected value) AWS_IO_FILE_VALIDATION_FAILURE(1038)
	at software.amazon.awssdk.crt.io.TlsContext.tlsContextNew(Native Method)
	at software.amazon.awssdk.crt.io.TlsContext.<init>(TlsContext.java:24)
	at software.amazon.awssdk.crt.io.ClientTlsContext.<init>(ClientTlsContext.java:26)
	at software.amazon.awssdk.iot.AwsIotMqttConnectionBuilder.build(AwsIotMqttConnectionBuilder.java:502)
	at com.iav.de.ota.mqtt.MqttConnectionFactory.create(MqttConnectionFactory.java:44)
	at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:42)

Going throught the error, I have found that this error AWS_IO_FILE_VALIDATION_FAILURE(1038) indicates that the expected claim private key/certificate is not matching the ones which we are giving it to it. So, I started going further into the issue and found that the library which we are using for reading the private key(bouncy castle) is reading a key which different than the input one. In other words, when I inspect the claim private key with Notepad and compare it with the one which the BouncyCastle has read - they are different. The problem is more interesting because this does not happen on Linux machines and only on Windows machines. I have even tried to read the claim private key as plain string from the file and pass it to the MqttConnection and this works. Unfortunately, this is not a solution because later on(after the provisioning) we are storing the real certificate and private key, for later on communication with the AWS IoT Core, in a KeyStore which we are reading with BouncyCastle, again. So, we need the library(BouncyCastle or other) in order to read the private key/certificate in any moment of the execution of the progam(either during the provisioning or later on during the other AWS IoT Core calls with the real certificates).

Forgot to mention, the claim private key and claim certificate are stored in PEM format.

Could you tell me what can be done here?

Is there any AWS supported library for reading the claim private key/certificate without using BouncyCastle?

Any suggestions here are welcomed because we are stucked and the requirements are that each AWS IoT Things will be running on Windows OS.

Thanks a lot,

Encho