By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

client cert creation ACM PCA issue-certificate vs AWS IoT issue create-certificate-from-csr

0

Goal : Create client certificate based on CSR request

Our device is capable of generating a self signed cert and can returns CSR for the certificate in base64 encoded DER blob.

With CSR (base64 encoded DER blob) we are able to successfully generate the client certificate using AWS IoT API as below and use to connect to AWS MQTT test client

aws iot create-certificate-from-csr --certificate-signing-request=file://certificate.csr

But if we use the same CSR (base64 encoded DER blob) AWS ACM PCA API as below, we get a CSR validation error

aws acm-pca issue-certificate --certificate-authority-arn “arn:aws:acm-pca:us-east-...” --csr file://certificate.csr --signing-algorithm SHA384WITHECDSA --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 --validity Value=9,Type="YEARS" --idempotency-token 1234

From my understanding, AWS ACM PCA, in issue-certificate API call, expects the CSR to be in https://www.rfc-editor.org/rfc/rfc7468#section-7 format

  • Why is there such a difference between AWS own services?
  • What's the standard and recommended way so that we do not have 2 different formats across services?
  • Is there any configuration on AWS IoT/PCA services to make them respond similarly?
Topics
Internet of Things (IoT)Security, Identity, & Compliance
Tags
AWS IoT CoreAWS Certificate Manager
Language
English
bsriramprasad
asked 2 years ago796 views
2 Answers
0

Hi,

We get the same error even with the option you suggested with AWS CLI version 2.9 Any other suggestions?

Regards Sriram

bsriramprasad
answered 2 years ago
  • Philipp S EXPERT
    2 years ago

    Can you provide the exact error message that you get?

  • bsriramprasad
    2 years ago

    error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

    As mentioned in my original question, CSR content sent to either API calls is same but one throws validation error and the other doesn't.

  • Philipp S EXPERT
    2 years ago

    Can you try fileb://... instead of file://...

  • bsriramprasad
    2 years ago

    We already tried that with similar response, we believe the issue is with expecting the line length to be of size 64? We referred to the issue discussion while trying that https://github.com/aws/aws-cli/issues/5011

  • Philipp S EXPERT
    2 years ago

    Can you share the (openssl) commands to create the key pair and csr? (Not the content of your files).

0

Hi bsriramprasad,

are you using the AWS CLI version 2? If yes try to add --cli-binary-format raw-in-base64-out to your command to issue the certificate.

Cheers,
Philipp

AWS
EXPERT
Philipp S
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content