Why is my CSR invalid

0

I'm trying to use a CSR to create a thing, but I am getting back this:

C:\work\gabraun\braun-stack\cert_test>aws iot register-thing --parameters file://./parameters.json --template-body file://./resources.json

An error occurred (ResourceRegistrationFailureException) when calling the RegisterThing operation: Register thing workflow execution terminates due to: CSR violates constraints

I just created the certificate with OpenSSL (just as a test):

cepasp@gis-cpiggott:~/work/gabraun/braun-stack/cert_test$ openssl req -newkey rsa:2048-keyout PRIVATEKEY.key -out MYCSR
.csr
.........................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.....++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Rochester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RIT
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:site1234
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The CSR I get back is included below. It's a dummy certificate and key so I don't care if you know what it is, it won't do anything.

Question: is there some way to tell WHY it thinks this certificate is invalid? How do I debug this?

template:

{
    "Parameters": {
        "ThingName": {
            "Type": "String"
        },
        "customer": {
            "Type": "String"
        },
        "CSR": {
            "Type": "String"
        }
    },
    "Resources": {
        "thing": {
            "Type": "AWS::IoT::Thing",
            "Properties": {
                "ThingName": {"Ref": "ThingName"},
                "AttributePayload": {
                    "version": "v1"
                },
                "ThingTypeName": "washnet-agent",
                "ThingGroups": [
                ]
            },
            "OverrideSettings": {
                "AttributePayload": "MERGE",
                "ThingTypeName": "REPLACE",
                "ThingGroups": "DO_NOTHING"
            }
        },
        "certificate": {
            "Type": "AWS::IoT::Certificate",
            "Properties": {
                "CertificateSigningRequest": {"Ref": "CSR"},
                "Status": "ACTIVE"
            }
        },
        "policy": {
            "Type": "AWS::IoT::Policy",
            "Properties": {
                "PolicyDocument":"{ \"Version\": \"2012-10-17\", \"Statement\": [{ \"Effect\": \"Allow\", \"Action\":[\"iot:Publish\"], \"Resource\": [\"arn:aws:iot:us-east-1:123456789012:topic/foo/bar\"] }] }"
            }
        }
    }
}

parameters:

{
	"ThingName": "test_thing",
	"customer": "abcd",
	"CSR": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBlDCB/gIBADBVMQswCQYDVQQGEwJVUzERMA8GA1UECAwITmV3IFlvcmsxEjAQBgNVBAcMCVJvY2hlc3RlcjEMMAoGA1UECgwDUklUMREwDwYDVQQDDAhzaXRlMTIzNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuh6fnhGNWf7XC6VSQHGyfASV7Ph2Fh0dG/UYstx5eVeA7NVkHVhiV1zaoVgnF2iGWUUYNQI4dKm5Jao1dCOqLXF4twxQd176l8kr4h87a/N2V14r7Un8mVUK7bMuaWQ8Xf0cNfROkqzixbHjhtz1EVRxJmX08ZWs6AHMKBri/wECAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4GBADq7pbZeE4T6V7ou+7inJmMlVqRe+KXX4r38r0Ghqj59JS0ip2mS3KNkw0LkBz79eNjsmMgYcdYc4w6P4Hr3z5L/cTCFek84khPuHg3jmk6ZibwafYrEVuC29l+g7AkEB1kX2GlQBOFIeLn8ihZdDVoJQeFRsdVcLmjXdFEnuKpn\n-----END CERTIFICATE REQUEST-----\n"
}

What I'd like is that I send in a CSR with a CN of my choosing, and any other fields I might want, and RegisterThing signs it and sends it back to me.

If I take this same CSR and load it into the console manually (IOT / Security / Certificates) it loads just fine. So I don't really believe that the problem is with the CSR itself, even though that's what the error message says.

profile picture
wz2b
asked a year ago578 views
1 Answer
1
Accepted Answer

Never mind. I figured it out. I was actually requesting a 1024 bit key, but I found THIS that explains that the key must be 2048 bits long and use one of a certain set of algorithms. I had tried 2048 originally but must have made some other mistake, changed it to 1024 and then it didn't work. I repeated all of the above but with 2048 bits and no other changes and now it's ok.

profile picture
wz2b
answered a year ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions