Certificate limitations

The XBee 3 Cellular LTE-M/NB-IoT only supports certificate files that contain a single certificate in them.

The implications of this are:

• For client certificate files (for example when client authentication is required):
  • Self-signed certificates will work.
  • Certificates signed by the root CA will work, because the root CA can be omitted per RFC 5246. The root certificate authority may be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
  • Certificate chains that include a intermediate CA are problematic. To work around this the client's certificate chain has to be supplied to the server outside of the connection.
• For server certificate files (when server authentication is required) this is not a problem unless the client is expected to connect to multiple servers that are using different self signed certificates or are using certificate chains that are signed by different root CA certificates. To work around this you have to change the certificates before making the connection, or in the case of API mode specify a different authentication profile.