I'm trying to provision devices through AWS IOT api calls, i have used the AWS CLI to get CA Certificate and i have also generated X.509 certificate. Can anyone please guide me on how to Create Thing and attach certificate through SDK?
I have successfully used the API to create devices on AWS IoT Core by following these steps.
Using the CLI i made CA certificate using rsa key
openssl genrsa -out certs/rootCA.key 2048
openssl req -x509 -new -nodes -key certs/rootCA.key -sha256 -days 1024 -out certs/rootCA.pem
aws iot get-registration-code (registrationCode used later as a "Common Name")
openssl genrsa -out certs/verificationCert.key 2048
Then i created a CSR
openssl req -new -key certs/verificationCert.key -out certs/verificationCert.csr
openssl x509 -req -in certs/verificationCert.csr -CA certs/rootCA.pem -CAkey certs/rootCA.key -CAcreateserial -out certs/verificationCert.crt -days 500 -sha256
Registered the CA Certificate
aws iot register-ca-certificate --ca-certificate file://certs/rootCA.pem --verification-certificate file://certs/verificationCert.crt --allow-auto-registration
aws iot update-ca-certificate --certificate-id e3f0a30c3bbd4c9fdbb752cf2717fda21fbd2f8158e5dc0bb320c8bdbabf6295 --new-status ACTIVE
Then i used the the verificationCert.csr for createCertificateFromCsr and used the certificateArn from response in attachPolicy and attachThingPrincipal
You cant connect a device to AWS IoT with an API if you are trying to use HTTPS. AWS IoT specifically requires the MQTT broker on AWS IoT Core. Are you using this with a device like RPi?
Related
I use the following set of openssl commands to generate client certificate
# create key
openssl genrsa -out client.key -aes256 -passout pass:password 2048
# create client certificate request
openssl req -new -key client.key -out client.csr -subj '/C=UA/O=MyCompany/CN=MyName/emailAddress=test#example.com' -passin pass:password
# Sign client certificate request with intermediate CA private key
openssl x509 -req -in client.csr -CA interm_cert.pem -CAkey interm_key.pem -CAcreateserial -CAserial intermediateCA.srl -extensions usr_cert -extfile openssl.conf -out client.crt -days 3650 -sha256 -passin pass:password
# generate client pfx
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile interm_cert.pem
# convert to pem
openssl pkcs12 -in client.pfx -out client.pem -nodes
Now, I need to replicate that using jsrsasign library. Yes, I can easily create key pair using KUTIL.generateKeypair and certificate signing request, but this is as mach as I could figure out so far, using the library reference
Any help is greatly appreciated
I'm trying to get SSL https working on my nodejs server but the browser returns a ERR_SSL_PROTOCOL_ERROR
code:
var express = require('express');
var https = require('https');
var http = require('http');
var fs = require('fs');
var options = {
key: fs.readFileSync('key.pem'),
cert: fs.readFileSync('cert.pem')
}
http.createServer(app).listen(80);
https.createServer(options, app).listen(443);
This will happen if your key isn't generated correctly.
A lot of places will tell you to do this:
openssl genrsa -out key.pem
That will not work if you're on a Mac, and instead you need to do this to make the key length 2048:
openssl genrsa -out key.pem 2048
In summary, do these steps to make a correct key on Mac:
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out client.csr
openssl x509 -req -in client.csr -signkey key.pem -out cert.pem
I'm trying to make a start at Service Workers and read you require to have an ssl cert.
I've Got an AngularJS 1.x application and a Node Express back end, and I run both independently so I I use grunt serve to run the front end on port 8443 and I use node app.js to run express which is on 7443.
note: I'm doing this on macOS
I used the guide on how to set up https on a project that uses Grunt: here
openssl genrsa -out livereload.key 1024
openssl req -new -key livereload.key -out livereload.csr
openssl x509 -req -in livereload.csr -signkey livereload.key -out livereload.crt
Gruntfile.js
options: {
protocol: 'https', // or 'http2'
port: 8443,
hostname: '0.0.0.0',
key: grunt.file.read('livereload.key'),
cert: grunt.file.read('livereload.crt')
},
node app.js
var privateKey = fs.readFileSync('../livereload.key', 'utf8');
var certificate = fs.readFileSync('../livereload.crt', 'utf8');
var credentials = {key: privateKey, cert: certificate};
httpsServer.listen(7443, config.ip, function () {
console.log('Express server listening on %d, in %s mode', 7443, app.get('env'));
});
Both start with no errors, the front end does complain the connection is not private. When my front end tried to hit an endpoint on the express server I receive the following;
OPTIONS https://localhost:7443/api/census/general net::ERR_INSECURE_RESPONSE
Could someone please assist on this problem of mine.
You have created a self-signed certificate, which is fine for development and testing but is considered unsafe for general use. Unlike SSL certificates purchased from reputable third-parties, self-signed certificates are untrusted by default.
You will need to tell your OS to explicitly trust the certificate. I'm unfamiliar with Mac OS but this question was previously answered on SuperUser.
I'm using Node.js and trying to mimic the functionality of the following openssl command to generate a public key:
$> openssl ecparam -name prime256v1 -genkey -noout -out keys
$> openssl ec -in keys -pubout -out pubkey
The closest I have is:
var ec = crypto.createECDH('prime256v1');
var pub = ec.generateKeys("base64");
But this key is far shorter and doesn't work. Any ideas how I could mimic the functionality exactly?
I used OpenSSL to generate a certificate with the following steps:
~/openssl genrsa -out server.key 2048
~/openssl req -new -x509 -key server.key -out server.crt -days 730
And then loaded these files into node.js
var https = require('https');
var privateKey = fs.readFileSync('./server.key', 'utf8');
var certificate = fs.readFileSync('./server.crt', 'utf8');
var credentials = {
key: privateKey,
cert: certificate
};
var app = express();
var httpsServer = https.createServer(credentials, app);
This way, my server was running as expected. But in Chrome, when i click View Site Information, it was saying that I use an "obsolete cipher suite"..
So I checked Google's certificate, and it was saying a "modern cipher suite".
Only difference between my self-signed certificate and Google's was the Key Exchange Algorithm which was RSA on my side and ECDHE_ECDSA on Google's side.
So I decided to create a new certificate using;
~/openssl ecparam -name prime256v1 -genkey -param_enc explicit -out server.key
~/openssl req -new -x509 -key server.key -out server.crt -days 730
Files are created, and node.js gives no error about anything. But when I try to connect to server, my browser simply closes the connection (ERR_CONNECTION_CLOSED) with no indication of error on both server and client side.
I tried different private keys with different parameters but no luck. A simple error message somewhere would help a lot but I'm stuck for hours Googling about how to create Modern Ciphers, trying those out and end up having nothing.
So my question is, how am I supposed to create a self-signed strong/modern cipher (with openssl) that can work with Node.js https module?