update cr comments

Author: xiazhvera

documents/FAQ.md

@@ -6,12 +6,13 @@
 * [How do I get more information from an error code?](#how-do-i-get-more-information-from-an-error-code)
 * [I keep getting AWS_ERROR_MQTT_UNEXPECTED_HANGUP](#i-keep-getting-aws_error_mqtt_unexpected_hangup)
 * [I am experiencing deadlocks](#i-am-experiencing-deadlocks)
-* [How do debug in VSCode?](#how-do-debug-in-vscode)
+* [How to debug in VSCode?](#how-to-debug-in-vscode)
 * [What certificates do I need?](#what-certificates-do-i-need)
+* [I am getting AWS_IO_TLS_ERROR_DEFAULT_TRUST_STORE_NOT_FOUND](#root-ca-file)
 * [How do I build and use the Android SDK?](#how-do-i-build-and-use-the-android-sdk)
 * [Where can I find MQTT 311 Samples?](#where-can-i-find-mqtt-311-samples)
+* [How can I improve the library size?](#how-can-i-improve-the-library-size)
 * [I still have more questions about this sdk?](#i-still-have-more-questions-about-this-sdk)
-* [How can I improve the library size? ](#how-can-i-improve-the-library-size)
 
 ### Where should I start?
 
@@ -36,7 +37,7 @@ To enable logging in the samples, you will need to set the following system prop
 For example, to run `BasicPubSub` with logging you could use the following:
 
 ```sh
-mvn compile exec:java -pl samples/Mqtt/Mqtt5X509 -Daws.crt.debugnative=true -Daws.crt.log.level=Debug -Daws.crt.log.destination=Stdout -Dexec.mainClass=pubsub.PubSub -Dexec.args='--endpoint <endpoint> --cert <path to cert> --key <path to key>'
+mvn compile exec:java -pl samples/Mqtt/Mqtt5X509 -Daws.crt.debugnative=true -Daws.crt.log.level=Debug -Daws.crt.log.destination=Stdout -Dexec.args='--endpoint <endpoint> --cert <path to cert> --key <path to key>'
 ```
 
 You can also enable [CloudWatch logging](https://docs.aws.amazon.com/iot/latest/developerguide/cloud-watch-logs.html) for IoT which will provide you with additional information that is not available on the client side sdk.
@@ -79,9 +80,9 @@ After getting it working make sure to only allow the actions and resources that
 
 You MUST NOT perform blocking operations on any callback, or you will cause a deadlock. For example: in the on_publish_received callback, do not send a publish, and then wait for the future to complete within the callback. The Client cannot do work until your callback returns, so the thread will be stuck.
 
-### How do debug in VSCode?
+### How to debug in VSCode?
 
-Here is an example launch.json file to run the pubsub sample
+Here is an example `launch.json` file to run the X509 sample
  ``` json
  {
     // Use IntelliSense to learn about possible attributes.
@@ -96,6 +97,7 @@ Here is an example launch.json file to run the pubsub sample
             "mainClass": "mqtt5x509.Mqtt5X509",
             "projectName": "Mqtt5X509",
             "args": "--endpoint <account-number>-ats.iot.<region>.amazonaws.com --cert <path to cert> --key <path to key> --client-id test-client",
+            "vmArgs": "-Daws.crt.debugnative=true -Daws.crt.log.destination=Stdout",
             "console": "externalTerminal"
         }
     ]
@@ -107,17 +109,29 @@ Here is an example launch.json file to run the pubsub sample
 * You can download pre-generated certificates from the AWS console (this is the simplest and is recommended for testing)
 * You can also generate your own certificates to fit your specific use case. You can find documentation for that [here](https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html) and [here](https://iot-device-management.workshop.aws/en/provisioning-options.html)
 * Certificates that you will need to run the samples
-    * Root CA Certificates
-        * Download the root CA certificate file that corresponds to the type of data endpoint and cipher suite you're using (You most likely want Amazon Root CA 1)
-        * Generated and provided by Amazon. You can download it [here](https://www.amazontrust.com/repository/) or download it when getting the other certificates from the AWS console
-        * When using samples it can look like this: `--ca_file root-CA.crt`
     * Device certificate
         * Intermediate device certificate that is used to generate the key below
         * When using samples it can look like this: `--cert abcde12345-certificate.pem.crt`
     * Key files
         * You should have generated/downloaded private and public keys that will be used to verify that communications are coming from you
         * When using samples you only need the private key and it will look like this: `--key abcde12345-private.pem.key`
 
+### I am getting AWS_IO_TLS_ERROR_DEFAULT_TRUST_STORE_NOT_FOUND<a name="root-ca-file"></a>
+
+This error usually occurs when the SDK cannot find or access the system's default trust store for TLS certificate validation. You can resolve this by downloading and specifying the Root CA certificate explicitly.
+
+**Root CA Certificate**
+* Download the root CA certificate file that corresponds to the type of data endpoint and cipher suite you're using (you most likely want Amazon Root CA 1 if you are using the AWS IoT service)
+* This certificate is generated and provided by Amazon. You can download it [here](https://www.amazontrust.com/repository/) or download it when getting the other certificates from the AWS Console
+
+**Set Root CA for the client builder**
+```java
+// When building your MQTT5 client, specify the CA file
+// Mqtt5ClientBuilder builder = <setup your client builder based on your auth type>
+builder.withCertificateAuthorityFromPath(null, "<path to AmazonRootCA1.pem>");
+```
+
+
 ### How do I build and use the Android SDK?
 Instructions for building, installing, and use of the Android SDK can be found [here](../documents/ANDROID.md)