AWS IoT broker how to register a client certificate 1024 bits key length?

0

Hi,

We are trying to register a self signed X.509 for client authentication to aws iot core (aws iot register-certificate) but we get the error "The key in the certificate is not valid".
The problem seems related to the length of the key, it's 1024 bits, we have no problems register a certificate with 2048 bits key. Signing algorithm is "SHA-256 with RSA".
Here there is a note about the key length of the CSR request, no mention about the key length of a self-signed certificate: https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html

How can register a self signed certificate with 1024 bits key length?

Thanks in advance for support

Reason for this question: We have an old device with few calculation resources, connection to the broker using a 2048 bits key length client certificate takes 10 secs, using a client certificate with 1024 bits key takes 4 seconds, we measured using another broker not aws iot. We know 1024 bits key is not the best key but 10 seconds to connect is two much.

Sam B
asked a year ago215 views
1 Answer
2
Accepted Answer

Hi,

the document you are referring to mentions: The certificate signing request (CSR) must include a public key that is either an RSA key with a length of at least 2048 bits...". So you cannot use a key with a smaller length than 2048 bits.

But you could try to use custom authentication with AWS IoT Core to achieve your goal.

Cheers,
Philipp

AWS
EXPERT
answered a year ago
profile pictureAWS
EXPERT
Greg_B
reviewed a year ago
  • Hi Philipp,

    The note also refers to the CreateCertificateFromCsr API and this confuses me, we are creating self-signed certificates instead. So this rule also applies to self-signed certificates?

    Thank you for the custom authentication suggestion, we are considering this.

    Best Regards, Sam

  • Hi Sam. You will find confirmation here: https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-device-cert-key-quality.html

    AWS IoT performs basic sanity checks on these certificates when they are registered. These checks include: Their cryptographic key sizes must meet a minimum required size (for RSA keys, they must be 2048 bits or larger).

    I agree that perhaps the basic requirements set out there could also be listed on the link you gave. Please consider to use the Feedback button on that page.

  • Hi Greg,

    Thank you for the confirmation, feedback sent.

    We explored other ways and connection with a ECC key from NIST P-256 (curve secp256r1) takes 5 secs, it's more secure than RSA 1024 and good enough for our requirements.

    We can share this link, we found it very usefull for optimization parameters: https://csrc.nist.gov/csrc/media/events/lightweight-cryptography-workshop-2015/documents/presentations/session7-vincent.pdf

    Thanks again,

    Best Regards, Sam

  • Thanks for the link Sam. Interesting document.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions