I'm trying to use a CSR to create a thing, but I am getting back this:
C:\work\gabraun\braun-stack\cert_test>aws iot register-thing --parameters file://./parameters.json --template-body file://./resources.json
An error occurred (ResourceRegistrationFailureException) when calling the RegisterThing operation: Register thing workflow execution terminates due to: CSR violates constraints
I just created the certificate with OpenSSL (just as a test):
cepasp@gis-cpiggott:~/work/gabraun/braun-stack/cert_test$ openssl req -newkey rsa:2048-keyout PRIVATEKEY.key -out MYCSR
.csr
.........................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Rochester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RIT
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:site1234
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
The CSR I get back is included below. It's a dummy certificate and key so I don't care if you know what it is, it won't do anything.
Question: is there some way to tell WHY it thinks this certificate is invalid? How do I debug this?
template:
{
"Parameters": {
"ThingName": {
"Type": "String"
},
"customer": {
"Type": "String"
},
"CSR": {
"Type": "String"
}
},
"Resources": {
"thing": {
"Type": "AWS::IoT::Thing",
"Properties": {
"ThingName": {"Ref": "ThingName"},
"AttributePayload": {
"version": "v1"
},
"ThingTypeName": "washnet-agent",
"ThingGroups": [
]
},
"OverrideSettings": {
"AttributePayload": "MERGE",
"ThingTypeName": "REPLACE",
"ThingGroups": "DO_NOTHING"
}
},
"certificate": {
"Type": "AWS::IoT::Certificate",
"Properties": {
"CertificateSigningRequest": {"Ref": "CSR"},
"Status": "ACTIVE"
}
},
"policy": {
"Type": "AWS::IoT::Policy",
"Properties": {
"PolicyDocument":"{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\":[\"iot:Publish\"], \"Resource\": [\"arn:aws:iot:us-east-1:123456789012:topic/foo/bar\"] }] }"
}
}
}
}
parameters:
{
"ThingName": "test_thing",
"customer": "abcd",
"CSR": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBlDCB/gIBADBVMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxEjAQBgNVBAcMCVJvY2hlc3RlcjEMMAoGA1UECgwDUklUMREwDwYDVQQDDAhzaXRlMTIzNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuh6fnhGNWf7XC6VSQHGyfASV7Ph2Fh0dG/UYstx5eVeA7NVkHVhiV1zaoVgnF2iGWUUYNQI4dKm5Jao1dCOqLXF4twxQd176l8kr4h87a/N2V14r7Un8mVUK7bMuaWQ8Xf0cNfROkqzixbHjhtz1EVRxJmX08ZWs6AHMKBri/wECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBADq7pbZeE4T6V7ou+7inJmMlVqRe+KXX4r38r0Ghqj59JS0ip2mS3KNkw0LkBz79eNjsmMgYcdYc4w6P4Hr3z5L/cTCFek84khPuHg3jmk6ZibwafYrEVuC29l+g7AkEB1kX2GlQBOFIeLn8ihZdDVoJQeFRsdVcLmjXdFEnuKpn\n-----END CERTIFICATE REQUEST-----\n"
}
What I'd like is that I send in a CSR with a CN of my choosing, and any other fields I might want, and RegisterThing signs it and sends it back to me.
If I take this same CSR and load it into the console manually (IOT / Security / Certificates) it loads just fine. So I don't really believe that the problem is with the CSR itself, even though that's what the error message says.