Stay organized with collections
Save and categorize content based on your preferences.
Use these instructions to troubleshoot issues with interoperability testing
between Spectrum Access System (SAS) and a Citizens Broadband Radio Service Device (CBSD).
You might see the following certificate issues when you test the interoperability
between SAS and a CBSD:
SSL certificate problem when connecting with the provided CBSD or Domain
Proxy (DP) certificate.
Make sure that you have the Google Testing Certificate Authority (CA) listed as a root
of trust in your device. If that's not the case, send an email to
SAS Support to
get a copy.
A please-use-sni.invalid error in the SAS certificate.
A device connecting to the SAS Portal without Server Name
Indication (SNI) sees a server certificate for the domain name please-use-
sni.invalid. Proper implementation of Transport Layer Security (TLS) requires
that the CBSD advertises the target hostname, such as
www.google-sas.com, through the TLS SNI extension.
Modify the test certificates provided by Google before using SAS.
You do not need to modify the test certificates because SAS verifies
that a client sends the entire certificate chain. This chain is formed through the
file concatenation of the CBSD's leaf certificate file and the
corresponding intermediate CA file. The certificates that you receive from Google
for testing purposes have the full chain already included.
Include the intermediate CA file when testing SAS.
Although SAS verifies that a client sends the entire
certificate chain, no extra work is required when testing with Google
SAS. This is because the certificates that you receive from Google
for testing purposes have the full chain already included.
Problems when trying to connect to the SAS Portal.
To bypass checking the SAS certificate, use the k flag with
the curl command, as follows:
Make sure that you use Server Name Indication (SNI).
If no connection is established, then there might be a network issue that prevents
your request from going through. If you see an HTTP status code 403 error, there is a
problem with the certificates that the device provides to the SAS.
Get CBSD or DP certificates for use with the test SAS environment.
Google provides testing certificates as part of your onboarding process. These
certificates contain everything that you need to get started. The test
SAS environment also accepts official certificates issued by
WInnForum-approved CBRS CA operators.
Get CBSD or DP certificates for use with SAS.
SAS supports CBSD and DP certificates
from any of the WInnForum-approved CA operators.
If you're connecting to a test instance, you need testing certificates.
CBSD certificate errors when testing with SAS
You might see the following errors when you are testing with SAS:
SSL certificate problem.
You receive an SSL certificate error when you try to connect to
https://test.sas.goog from your CBSD or DP. Make sure that
you have the testing CA provided by Google SAS Support listed
as a root of trust in your CBSD or DP. If you don't already
have it, contact SAS Support
to get a copy.
Debug SAS certificate issues.
To bypass inspection of the SAS certificate in the
SAS test environment, use the -k flag with the curl
command as follows:
If no connection is established, then there is a network issue that prevents
your request from going through. If you get an HTTP status code 403 error,
then there is a problem with the CBSD or DP certificate that the
device provides to SAS.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-03 UTC."],[],[],null,["# Troubleshoot interoperability testing\n\nUse these instructions to troubleshoot issues with interoperability testing\nbetween Spectrum Access System (SAS) and a Citizens Broadband Radio Service Device (CBSD).\n\nTo troubleshoot issues with the Google SAS Portal, see\n[Troubleshoot SAS issues](/spectrum-access-system/docs/troubleshooting).\n\nCertificate issues when testing\n-------------------------------\n\nYou might see the following certificate issues when you test the interoperability\nbetween SAS and a CBSD:\n\n- **SSL certificate problem when connecting with the provided CBSD or Domain\n Proxy (DP) certificate.**\n\n Make sure that you have the Google Testing Certificate Authority (CA) listed as a root\n of trust in your device. If that's not the case, send an email to\n [SAS Support](/spectrum-access-system/docs/getting-support) to\n get a copy.\n- **A `please-use-sni.invalid` error in the SAS certificate.**\n\n A device connecting to the SAS Portal without Server Name\n Indication (SNI) sees a server certificate for the domain name `please-use-\n sni.invalid`. Proper implementation of Transport Layer Security (TLS) requires\n that the CBSD advertises the target hostname, such as\n `www.google-sas.com`, through the [TLS SNI extension](https://https.cio.gov/sni/).\n- **Modify the test certificates provided by Google before using SAS.**\n\n You do not need to modify the test certificates because SAS verifies\n that a client sends the entire certificate chain. This chain is formed through the\n file concatenation of the CBSD's leaf certificate file and the\n corresponding intermediate CA file. The certificates that you receive from Google\n for testing purposes have the full chain already included.\n- **Include the intermediate CA file when testing SAS.**\n\n Although SAS verifies that a client sends the entire\n certificate chain, no extra work is required when testing with Google\n SAS. This is because the certificates that you receive from Google\n for testing purposes have the full chain already included.\n- **Problems when trying to connect to the SAS Portal.**\n\n To bypass checking the SAS certificate, use the `k` flag with\n the `curl` command, as follows: \n\n ```\n curl -v -k -H \"Host: www.google-sas.com\" -H \"content-type: application/json\" -\n -cert /path/to/cert/file.cert --key /path/to/key/file.key -X POST\n https://www.google-sas.com/vendor/v1.2/registration --data\n @/path/to/example/registration_req.json\n ```\n\n \u003cbr /\u003e\n\n | **Important:** Use the `-k` flag only for testing purposes because it's not secure.\n\n If the connection is established:\n - Verify that you have the Google testing CA [listed as a root of trust](#root-problem).\n - Make sure that you use Server Name Indication (SNI).\n\n If no connection is established, then there might be a network issue that prevents\n your request from going through. If you see an HTTP status code `403` error, there is a\n problem with the certificates that the device provides to the SAS.\n- **Get CBSD or DP certificates for use with the test SAS environment.**\n\n Google provides testing certificates as part of your onboarding process. These\n certificates contain everything that you need to get started. The test\n SAS environment also accepts official certificates issued by\n [WInnForum-approved CBRS CA operators](https://cbrs.wirelessinnovation.org/cbrs-root-ca-operators).\n- **Get CBSD or DP certificates for use with SAS.**\n\n SAS supports CBSD and DP certificates\n from any of the WInnForum-approved CA operators.\n If you're connecting to a test instance, you need testing certificates.\n\nCBSD certificate errors when testing with SAS\n---------------------------------------------\n\nYou might see the following errors when you are testing with SAS:\n\n- **SSL certificate problem.**\n\n You receive an SSL certificate error when you try to connect to\n `https://test.sas.goog` from your CBSD or DP. Make sure that\n you have the testing CA provided by Google SAS Support listed\n as a root of trust in your CBSD or DP. If you don't already\n have it, contact [SAS Support](/spectrum-access-%20system/docs/getting-support)\n to get a copy.\n- **Debug SAS certificate issues.**\n\n | **Important:** Use the `-k` flag only for testing purposes because it's not secure.\n\n To bypass inspection of the SAS certificate in the\n SAS test environment, use the `-k` flag with the `curl`\n command as follows: \n\n ```\n curl -v -k -H \"Host: test.sas.goog\" -H \"content-type: application/json\" --cert\n /path/to/cert/file.cert --key /path/to/key/file.key -X POST\n https://test.sas.goog/v1.2/registration --data\n @/path/to/example/registration_req.json\n ```\n\n \u003cbr /\u003e\n\n If the connection is established, verify that the Google testing CA is\n [listed as a root of trust](#root-problem).\n\n If no connection is established, then there is a network issue that prevents\n your request from going through. If you get an HTTP status code `403` error,\n then there is a problem with the CBSD or DP certificate that the\n device provides to SAS."]]
