TL;DR: The factory certificate in slot 10 is in a compressed format that AWS IoT rejects. You need to generate a new properly-formatted certificate. Full working example here: https://github.com/scarolan/grafana-core2aws-iot
The Problem Everyone HitsIf you've tried to use the Core2 for AWS with its built-in ATECC608 secure element, you've probably hit this error when registering the certificate:
CertificateValidationException: The certificate could not be parsedYou're not crazy. The factory certificate in slot 10 is stored in Microchip's compressed format with:
Empty issuer/subject fields Invalid dates (Aug 28, 2005) Missing X.509 structureAWS IoT's register-certificate-without-ca API rejects it outright.
The SolutionGenerate a new properly-formatted certificate that still uses the locked private key in slot 0 (so you maintain hardware security):
1. Clone the Working Example git clone https://github.com/scarolan/grafana-core2aws-iot cd grafana-core2aws-iot/extras/generate_cert 2. Flash the Certificate Generator pio run -t upload --upload-port COM3 pio device monitor --port COM3 --baud 115200 3. Save the CertificateCopy the certificate output (including -----BEGIN CERTIFICATE----- lines) to a file.
4. Register with AWS IoT aws iot register-certificate-without-ca \ --certificate-pem file://device_new.pem \ --status ACTIVE \ --region us-east-1Then attach your policy and thing as usual.
5. Use in Your FirmwareUpdate secrets.h with the new certificate and you're done!
Why This WorksThe certificate generator:
Reads the public key from slot 0 (the private key never leaves the chip) Creates a proper X.509 certificate with valid dates and subject fields Signs it using the locked private key (signing happens inside the ATECC608) Returns a properly-formatted certificate AWS IoT acceptsHardware security is maintained - the private key in slot 0 is never exposed, it's just used differently.
Complete DocumentationI've documented the full solution with explanations of what's happening:
ATECC608 Architecture - How the secure element works, slot configuration, lock mechanism Certificate Solution - Why the factory cert fails and how to fix it Full Working Example - Complete vibration monitoring IoT demo with AWS IoT Core + Timestream Why M5Stack Doesn't Document ThisThe compressed certificate format is a Microchip design decision (saves space on the chip). It's meant to work with:
Microchip's Trust Platform provisioning tools Their specific certificate reconstruction libraries Microchip-managed certificate authoritiesIt was never designed to work directly with third-party services like AWS IoT without special handling.
M5Stack provides a complex registration helper (registration_helper.py) that reconstructs the certificate with special manifest-based APIs, but it's 800+ lines of Python with tons of dependencies.
The approach above is much simpler - just generate a new cert and register it normally.
Tested and WorkingThis solution is running in production on my demo device:
MQTTS publishing to AWS IoT Core every 5 seconds Data flowing to Amazon Timestream Hardware-backed authentication with ATECC608 Zero issues with certificate validation Hope This Saves Someone's WeekI fought with this for a week a couple years ago and gave up in frustration. Revisited it recently and finally cracked it. Hopefully this saves others the same pain!
Questions/issues? Comment here or open an issue on GitHub.
Repository: https://github.com/scarolan/grafana-core2aws-iot
Hardware: M5Stack Core2 for AWS
Libraries: ArduinoECCX08, ArduinoBearSSL, M5Unified
Tested: PlatformIO, Arduino framework on ESP32
