TLS Certificate Pinning / Leaf Certificate Support on ESP32 (u-blox NINA)

[ILLUMINEN]

Dear Espressif Support Team,
We are currently using a u-blox NINA WiFi module, which is built on the ESP32-D0WDQ6-V3, Flash: 16 MB chip, in our project.
At present, we are facing an issue while implementing TLS using a leaf (server) certificate for client identification.
The connection works correctly when we use the Root CA certificate, but it does not work when we attempt to use the leaf certificate / certificate pinning method for the client.
This issue is blocking the next phase of our project development, and we would highly appreciate your guidance on the correct and supported way to handle leaf certificates or certificate pinning on the NINA (ESP32-based) module.
Kindly provide your assistance or any recommended solution to proceed further.
Thank you for your support.

Best regards,
Illuminen Technologies.

[lichurbagan]

A leaf certificate is not a trust anchor; it is the subject of the chain. mbedTLS and the u-blox TLS implementation will not treat it as a certificate authority, therefore:

The device loads the leaf certificate → mbedTLS expects it to be a CA

But server leaf certificates generally have CA = FALSE in their Basic Constraints

mbedTLS therefore rejects it as a trust anchor