Currently, I have a working 'thing' on AWS, whitch is connected via WIFI or an ethernet port. In there, I can simply pass my CA cert, public and private keys and tell the MQTTClient to use that client with those certificates.

Now, I want a backup in case of no wifi or internet. Thus I tought, a SIM7000x would do. For HTTPS calls, it works like a real champ. Also for plain MQTT connections without any kind of authentication methods, it works just fine.

Now I am using the TinyGSM library on the ESP32, if I just modify that example for the MQTT a bit, with my mqtt server at home to be used, it works just fine.

but I want to be able to connect to an MQTTS server on AWS IoT. This needs 3 certificates. 1 CA certificate, 1 public and 1 private certificate.

On my current code, without the SIM module, it looks like this:

#include <WiFiClientSecure.h>
#include <MQTTClient.h>

WiFiClientSecure net = WiFiClientSecure();
MQTTClient mqttClient = MQTTClient(384); // larger buffer

...

void connectToAWS() {

    // Configure WiFiClientSecure to use the AWS IoT device credentials (from secrets file)
    net.setCACert(AWS_CA_CERTIFICATE); // Amazon root CA
    net.setCertificate(AWS_CERT); // Device certificate
    net.setPrivateKey(AWS_PRIVATE_CERT); // Device private key

    // Connect to the MQTT broker on the AWS endpoint we defined earlier
    mqttClient.begin(AWS_IOT_ENDPOINT, AWS_IOT_ENDPOINT_PORT, net);

    Serial.println("Connecting to AWS IoT");

    unsigned long timeout = millis();
    while (!mqttClient.connect("myThingName")) {

        if (millis() - timeout > 5000) {
            Serial.println("AWS IoT Timeout");
        }

        Serial.print(".");
        vTaskDelay(100);
    }

    Serial.println("Connected to AWS IoT!");
}

I want to be able to do the same on the SIM module, preferred by using the tinygsm library.

Now I have found that I could use some AT commands to tell the module, here are the files and upload them to the storage of the SIM. But that didn't work.

The simcom docs tell the following:

Step 1: Configure SSL version by AT+CSSLCFG=“sslversion”,<ssl_ctx_index>,<sslversion>.
Step 2: Configure SSL authentication mode by AT+CSSLCFG=“authmode”,<ssl_ctx_index>, <authmode>.
Step 3: Configure the flag of ignore local time by
AT+CSSLCFG=“ignorlocaltime”,<ssl_ctx_index>,<ignoreltime>.
Step 4: Configure the max time in SSL negotiation stage by
AT+CSSLCFG=“negotiatetime”,<ssl_ctx_index>,<negotiatetime>.
Step 5: Configure the server root CA by AT+CSSLCFG=“cacert”,<ssl_ctx_index>,<ca_file>.
Step 6: Configure the client certificate by AT+CSSLCFG=“clientcert”,<ssl_ctx_index>,<clientcert_file>.
Step 7: Configure the client key by AT+CSSLCFG=“clientkey”,<ssl_ctx_index>,<clientkey_file>.
Step 8: Download the certificate into the module by AT+CCERTDOWN.
Step 9: Delete the certificate from the module by AT+CCERTDELE.
Step 10: List the certificates by AT+CCERTLIST

I tried those steps, but at step 5, I get "operation not allowed".

So the only issue I'm currently facing is the X.509 certificate chain that needs to work on that SIM module for the MQTT connections. I also have API calls, those should NOT use that keychain.