AWS IoT Thing provisioning fails on Windows during certificate loading



I have a problem during the provisioning of the IoT thing using claim certificates. We are using the fleet provisioning by claim mechanism. We are following the steps described in this PDF: When we start the provisioning process, we are providing the AwsIotMqttConnectionBuilder with the claim certificate and claim private key(which are generated in previous step). The problem comes when we are building the MqttClientConnection with which to make the request to the AWS IoT core for the provisioning. Here is a detailed exception:

Exception occurred during fleet provisioning by claim
Caused by: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_IO_FILE_VALIDATION_FAILURE(1038), A file was read and the input did not match the expected value) AWS_IO_FILE_VALIDATION_FAILURE(1038)
	at Method)

Going throught the error, I have found that this error AWS_IO_FILE_VALIDATION_FAILURE(1038) indicates that the expected claim private key/certificate is not matching the ones which we are giving it to it. So, I started going further into the issue and found that the library which we are using for reading the private key(bouncy castle) is reading a key which different than the input one. In other words, when I inspect the claim private key with Notepad and compare it with the one which the BouncyCastle has read - they are different. The problem is more interesting because this does not happen on Linux machines and only on Windows machines. I have even tried to read the claim private key as plain string from the file and pass it to the MqttConnection and this works. Unfortunately, this is not a solution because later on(after the provisioning) we are storing the real certificate and private key, for later on communication with the AWS IoT Core, in a KeyStore which we are reading with BouncyCastle, again. So, we need the library(BouncyCastle or other) in order to read the private key/certificate in any moment of the execution of the progam(either during the provisioning or later on during the other AWS IoT Core calls with the real certificates).

Forgot to mention, the claim private key and claim certificate are stored in PEM format.

Could you tell me what can be done here?

Is there any AWS supported library for reading the claim private key/certificate without using BouncyCastle?

Any suggestions here are welcomed because we are stucked and the requirements are that each AWS IoT Things will be running on Windows OS.

Thanks a lot,


  • How do you instantiate the AwsIotMqttConnectionBuilder? By using one of the factory methods?

    AwsIotMqttConnectionBuilder.newMtlsBuilderFromPath(certPath, keyPath)

    Or do you set the tlsOptions by hand?

1 Answer

Hi Encho,

Can you please take a look at the pem files and check whether they are certificate chains? (It has more than one certificate) If it does, this is a known issue in aws-c-io and a fix has been submitted. If you'd like to manually apply the fix yourself before a new version is released, it's a single line change.

In aws-c-io -> source -> windows -> windows_pki_utils.c change line 606 from

if (i != cert_count - 1 || !add_result) {


if (i != 0 || !add_result) {

That should fix the issue and unblock you for now until this is propagated into a release.

answered 2 years ago
  • Hello,

    Thanks for the answer. When the fix is expected to be released? Something more, is this library used by the Java SDK? We are using Java(sorry if I forgot to mention this) Currently, we are partially blocked(because from the team, I am the only one working on Windows machine).


  • Hi Encho, the fix may be a little ways off as we need to also implement unit testing before pushing it to main. The fix is in the CRT so it should apply to all higher level languages, java included as long as you're using the v2 SDKs. In the meanwhile, could you provide me with logs from the CRT as well as the certificates that are being used in your testing? Thanks!

  • Hello Steve,

    I can provide the logs but the only ones which I see are part of the Java stacktrace of the execution. Could you tell me how to enable the logs of the CRT?


  • Hi Encho, you can look at how the CRT handles logging here:

    Please set the following properties: -Daws.crt.debugnative=true -Daws.crt.log.destination=File -Daws.crt.log.level=Trace -Daws.crt.log.filename=<path and filename>

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions