Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Does GGv2 MQTT server certificate rotation require internet connectivity?

0

I'm trying to determine whether AWS IoT Greengrass v2 requires internet connectivity to rotate the local MQTT server certificate. Connectivity is explicitly required in GGv1 but does not appear to be explicitly documented in GGv2.

GGv1 docs

In GGv1, the requirement is explicit (source):

"The MQTT server certificate is signed by the group CA certificate, which is stored in the cloud. For certificate rotation to occur, your Greengrass core device must be online and able to access the AWS IoT Greengrass service directly on a regular basis."

GGv2 docs

The GGv2 docs describe the mechanism but never explicitly address whether internet is required.

From connecting-to-mqtt:

"The client device auth component issues an X.509 certificate using the core device CA. The certificate is rotated when the broker starts, when the certificate expires, or when connectivity information such as the IP address changes."

From device-auth:

"This certificate is signed by the core device CA certificate, which the core device stores in the AWS IoT Greengrass cloud."

The CA is described as being stored in the cloud, which implies rotation might require cloud access. However, empirical testing (below) suggests otherwise.

What I found empirically

Inspecting the file system, the core device CA appears to be cached locally:

/greengrass/v2/work/aws.greengrass.clientdevices.Auth/
  ca.jks
  ca.pem
  clients/

Testing performed (all with internet disconnected)

  1. Restarted the Greengrass service — client devices reconnected successfully
  2. Restarted only the Moquette component — client devices reconnected successfully
  3. Deleted keystore.jks and restarted Moquette — file was recreated, client devices reconnected successfully
  4. Modified the Auth component IP configuration via the Debug Console — caused Moquette to restart, client devices reconnected successfully

In all tests, client devices were able to connect to the core offline (all devices were previously connected with cloud connection to initialize client trust).

Questions

  1. Does GGv2 MQTT server certificate rotation require internet connectivity? My testing suggests no, but the docs describe the core CA as stored "in the AWS IoT Greengrass cloud".
  2. Is this offline cert rotation behavior guaranteed and supported, or is it an undocumented side effect that could change in a future release?

Testing Configuration

ParameterValue
serverCertificateValiditySeconds864000 (10 days, maximum)
clientDeviceTrustDurationMinutes2147480000
aws.greengrass.clientdevices.Authv2.5.5
aws.greengrass.clientdevices.mqtt.Moquettev2.3.7

Thank you!

Topics
Internet of Things (IoT)
Tags
AWS IoT CoreAWS IoT Greengrass
Language
English
asked 3 months ago42 views
1 Answer
1
Accepted Answer

No, GGv2 does not require internet connectivity to rotate the local MQTT server certificate. This is a change from GGv1.

In GGv1, the MQTT server certificate was signed by a group CA stored in the cloud, so the core device needed to reach the Greengrass service for rotation.

In GGv2, the core device has its own local CA (the "core device CA"), and the MQTT server certificate is issued locally by the client device auth component. The rotation (default every 7 days, configurable 2–10 days) happens entirely on-device — the core device generates a new certificate and restarts the local MQTT broker with no cloud call required.

The only cloud interaction related to this CA is the initial registration of the core device CA when the client device auth component first connects. The core device CA itself expires after 5 years.

If you need fully offline operation, you can also provide your own CA via the certificateAuthority configuration parameter in the client device auth component, which eliminates even the initial cloud registration dependency.

References:

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content