AWS IoT supports client certificates signed by other root certificate authorities (CA). You can register client certificates signed by another root CA; however, if you want the device or client to register its client certificate when it first connects to AWS IoT, the root CA must be registered with AWS IoT.
Just-in-time provisioning and just-in-time registration requires that you bring your own CA.
In this exercise you will create your own CA with AWS Certificate Manager Private Certificate Authority (ACM PCA). Then you will register the CA certificate with AWS IoT. This CA will be used for just-in-time provisioning and registration.
To create your own CA some files have already been prepared in the directory ~/ACM_PCA
.
cd ~/ACM_PCA
aws acm-pca create-certificate-authority \
--certificate-authority-configuration file://./ca-config.json \
--revocation-configuration file://./revoke-config.json \
--certificate-authority-type "ROOT" \
--idempotency-token $(date +'%Y%m%d%H%M%S')
The output of the command to create a certificate authority returns the arn of the CA and looks similar to:
{
"CertificateAuthorityArn": "arn:aws:acm-pca:aws_region:aws_account_id:certificate-authority/aaa86144-52b7-4777-89bd-27388e44f6fe"
}
Assign the CA arn to a shell variable
CA_ARN=REPLACE_WITH_YOUR_CA_ARN
Get the status of your CA
aws acm-pca describe-certificate-authority --certificate-authority-arn $CA_ARN
Status will be PENDING_CERTIFICATE
and you need to finish the setup of your CA.
Go to the AWS Certificate Manager console
Private CAs
select IoT Device Management CA
. The status should be Pending certificate
Install a CA certificate to activate your CA.
10 Years
, Signature algorithm: SHA256WTIHRSA
Use a Cloud9 terminal to verify the status of your CA. It should now be ACTIVE
Get and store the CA certificate of your PCA to the file acm-pca-root-ca.pem
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $CA_ARN --output text > acm-pca-root-ca.pem
Verify the content of your root CA certificate
openssl x509 -text -noout -in acm-pca-root-ca.pem
Get a registration code from AWS IoT and write the code to a shell variable for later use. This code will be used as the Common Name (CN) of a verification certificate that you will issue with your own CA.
REGISTRATION_CODE=$(aws iot get-registration-code --output text)
Verify that the shell variable was set correctly
echo $REGISTRATION_CODE
Generate a key and CSR for the verification certificate
openssl req -nodes -new -newkey rsa:2048 \
-keyout iot-registration.key \
-out iot-registration.csr \
-subj "/CN=$REGISTRATION_CODE"
Issue a certificate based on the CSR
aws acm-pca issue-certificate \
--certificate-authority-arn $CA_ARN \
--csr file://./iot-registration.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=1,Type="DAYS" \
--idempotency-token $(date +'%Y%m%d%H%M%S')
This command returns the certificate arn and looks similar to:
{
"CertificateArn": "arn:aws:acm-pca:aws_region:aws_account_id:certificate-authority/4444791c-b956-476e-9ac0-7ffac9c196a4/certificate/7d7a88320133fc05ba097fc7f447bbbb"
}
Take a note of the arn you will need it in subsequent commands.
Wait until ACM PCA has issued the certificate
aws acm-pca wait certificate-issued \
--certificate-authority-arn $CA_ARN \
--certificate-arn REPLACE_WITH_YOUR_CERTIFICATE_ARN
Get the certificate from ACM PCA
aws acm-pca get-certificate \
--certificate-authority-arn $CA_ARN \
--certificate-arn REPLACE_WITH_YOUR_CERTIFICATE_ARN > iot-registration.json
Get the certificate from the output or the get-certificate
call
jq -r '.Certificate' iot-registration.json > iot-registration.crt
Verify that the common name of the certificate has been set to your registration code
openssl x509 -text -noout -in iot-registration.crt -subject
The output should contain amongst other output:
subject= /CN=YOUR_IOT_REGISTRATION_CODE
Register the CA certificate with AWS IoT
aws iot register-ca-certificate \
--ca-certificate file://./acm-pca-root-ca.pem \
--verification-cert file://./iot-registration.crt
On success the output in JSON format returns the certificate arn and id of your CA registered with AWS IoT and looks similar to:
{
"certificateArn": "arn:aws:iot:aws_region:aws_count_id:cacert/cert_id",
"certificateId": "cert_id"
}
Verify that the CA certificate has been registered successfully. You received the CA certificate id in the output from the command above
# assign the certificate id to a shell variable (for convenience)
CA_CERTIFICATE_ID=REPLACE_WITH_YOUR_CA_CERTIFICATE_ID
Look what has been stored with AWS IoT regarding your CA
aws iot describe-ca-certificate --certificate-id $CA_CERTIFICATE_ID
Activate the CA certificate
aws iot update-ca-certificate --new-status ACTIVE --certificate-id $CA_CERTIFICATE_ID
You have created your own CA and registered it with AWS IoT. Your CA can now be used for Just-in-time provisioning and registration.