In a recent update, we learned that the AWS IoT action iot:AttachPrinciplePolicy mentioned here has been deprecated. It is now recommended to utilize iot:AttachPolicy instead.
Previously, we explored how AWS IoT allows users to implement their own device certificates that are signed by a personal certificate authority (CA) for connecting and authenticating with the AWS IoT service. This method serves as an alternative to using certificates that are generated directly by AWS IoT.
Utilizing your own certificate with AWS IoT involves a two-step process:
- The registration of the CA certificate that issues the device certificates.
- Following the registration, any device certificate signed by this CA can then be registered with AWS IoT for authentication.
With the recent inclusion of just-in-time registration (JITR) for CA-signed certificates, AWS IoT has streamlined the process by eliminating the second step.
In this post, I will clarify how JITR operates and how it can facilitate a workflow that automatically activates device certificates and attaches appropriate policies. Additionally, I will provide guidance on deactivating a CA certificate and revoking device certificates.
Here’s what you will accomplish:
- Generate, register, and activate a CA certificate to sign your device certificates.
- Enable the auto-registration feature for certificates.
- Create device certificates signed by the CA and install them on your devices.
- Establish and attach a rule with an AWS Lambda action to activate the certificate, subsequently creating and attaching policies.
- Connect to AWS IoT using the device certificate.
Upon your initial connection to AWS IoT with the device certificate, the service will recognize an unregistered certificate signed by an existing CA and will automatically register the device certificate. Once successfully registered, AWS IoT will publish a confirmation message on a designated MQTT topic, after which it disconnects the client. This MQTT registration event will activate the attached AWS Lambda rules engine action, thus completing the provisioning of the certificate. Following these steps, your device certificate will be equipped to connect and authenticate with AWS IoT.
For this walkthrough, familiarity with AWS IoT and the procedures for creating AWS IoT certificates is assumed. You will utilize the AWS CLI and OpenSSL to carry out these tasks. If you need assistance with installing the AWS CLI, you can follow these steps. Ensure you are using the latest version if you already have the AWS CLI installed.
For further information about authentication in AWS IoT or the utilization of AWS IoT-generated certificates, please refer to the AWS IoT Developer Guide.
Registering Your CA Certificate
If you are a manufacturer, you may have acquired CA certificates from providers such as Symantec or Verisign, or you might have your own CA. To utilize your own X.509 certificates signed by your CA certificate, AWS IoT must confirm your ownership of the CA certificate and grant access to its private key. This verification process employs a challenge and response workflow.
We will begin by using OpenSSL in a terminal to create a sample CA certificate. In practical scenarios, the signing or intermediate certificates would be issued by your CA vendor. This sample CA certificate will later be used in the walkthrough to sign a device certificate for registration with AWS IoT:
$ openssl genrsa -out sampleCACertificate.key 2048
$ openssl req -x509 -new -nodes -key sampleCACertificate.key -sha256 -days 365 -out sampleCACertificate.pemFor simplicity, we are creating a root CA certificate. Typically, an intermediate CA certificate would be signed by the root CA, which in turn signs the device certificates. In this case, you would register the intermediate CA certificate with AWS IoT.
After creating your sample CA certificate, you will register it with AWS IoT. During registration, a workflow will be followed to ascertain that you possess access to both the CA certificate and its associated private key. To validate ownership of the private key, you must generate a verification certificate using the CA certificate, the private key, and a registration code obtained from AWS IoT.
To start, you need to retrieve the registration code. This can be done using the AWS CLI or the Register Certificate section in the AWS IoT console.
Using the AWS CLI, execute the following command:
$ aws iot get-registration-codeThis command will yield a unique registration code linked to your AWS account. This code remains valid indefinitely until you choose to delete it.
Next, you will use the registration code to create a Certificate Signing Request (CSR):
$ openssl genrsa -out privateKeyVerification.key 2048
$ openssl req -new -key privateKeyVerification.key -out privateKeyVerification.csrDuring the CSR creation process, you will be prompted for information. Input the registration code into the Common Name field of the verification certificate:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []: XXXXXSAMPLEREGISTRATIONCODEXXXXX
EMAIL ADDRESS []:This registration code establishes that the generated verification certificate was specifically created for the purpose of registering the CA certificate with AWS IoT, rather than being a previously issued certificate.
Having created a CSR that includes the registration code, use your sample CA certificate and the CSR to generate a new certificate:
$ openssl x509 -req -in privateKeyVerification.csr -CA sampleCACertificate.pem -CAkey sampleCACertificate.key -CAcreateserial -out privateKeyVerification.crt -days 365 -sha256When you register your CA certificate with AWS IoT, the combination of the registration code, the verification certificate signed with the CA private key, and the CA certificate will confirm your ownership of the CA private key.
Next, utilize the verification certificate to register your sample CA certificate:
$ aws iot register-ca-certificate --ca-certificate file://sampleCACertificate.pem --verification-certificate file://privateKeyVerification.crtYou can call the describe-ca-certificate command to obtain details about the registered CA certificate. Remember to use the certificate ID returned in the response of the previous CLI command:
$ aws iot describe-ca-certificate --certificate-id <certificateId>Now, you will activate the CA certificate. By default, the CA certificate is registered in an INACTIVE state. When registering device certificates, AWS IoT checks the status of the registered CA certificate and will only permit device certificate registration if the CA certificate is ACTIVE. To change the status of the CA certificate, use the update-ca-certificate CLI command. Alternatively, you can register the CA certificate in an ACTIVE state by using the set-as-active flag during registration:
$ aws iot update-ca-certificate --certificate-id <certificateId> --new-status ACTIVEBy default, the auto-registration status of the registered CA certificate is disabled. This means that any device certificate issued by the registered CA will not be auto-registered when it first connects to the AWS IoT service. However, you can explicitly register the device certificate using the register-certificate CLI command. If the auto-registration status is enabled for a CA certificate, it simplifies the process. For more information about setting up this auto-registration, check out this other blog post here.
In conclusion, managing your device certificates through AWS IoT can streamline your operations significantly. For expert insights on this subject, visit this authoritative source. Additionally, if you need help with your application processes, this is an excellent resource.
Location: Amazon IXD – VGT2, 6401 E Howdy Wells Ave, Las Vegas, NV 89115
Leave a Reply