Developer-mode Key Provisioning - Option #2

0

In this link: https://docs.aws.amazon.com/freertos/latest/userguide/dev-mode-key-provisioning.html In Option #2, what is the purpose of the following?

openssl genrsa -out tempCsrSigner.key 2048

openssl req -new -key tempCsrSigner.key -out deviceCert.csr

Why can't rootCA.pem (which has been registered) be used to sign device public key (DevicePublicKey.pem) directly? I also don't understand the below:

openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256 -force_pubkey DevicePublicKey.pem

Why use "-force_pubkey"?

질문됨 2년 전210회 조회
1개 답변
0

To request a CA to generate a device certificate you need a Certificate Signing Request (CSR), a CSR contains the device public key, metadata like CommonName, Org, serial number, etc and is normally singed by the device private key. In this case, the FreeRTOS demo project does not contain the logic to create this CSR, so we can't perform this action on the device and we need a solution to generate the CSR outside the device without having access to the device private key.

If the private key is stored in a secure module on the device, we won't even be able to extract the device private key from the device to generate the CSR outside of the device. So we need an alternative way to create the CSR. That's the reason, the tempCsrSigner.key private key is generate outside the device. And this key pair is used to create the device CSR. The generated CSR now of course contains the wrong public key (tempCsrSigner). Hence the -force_pubkey DevicePublicKey.pem to provide the actual device public key when you create the device certificate signed by your CA.

An important step that is omitted here is to verify that the CSR is signed by the tempCsrSigner.key before the device certificate is generated.

profile pictureAWS
전문가
Jan_B
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠