By using AWS re:Post, you agree to the Terms of Use

Correct Root CA for aswIoT mqtt server

0

Hi All,
I am using cc3100 wifi chip from TI and I have ported the awsiot sdk for our project. I have one confusion regarding the correct root ca.
I tried these following root ca so far-
RSA 2048 bit key: Amazon Root CA 1.
ECC 256 bit key: Amazon Root CA 3.
RSA 2048 bit key: VeriSign Class 3 Public Primary G5 root CA certificate
Cross-signed Amazon Root CA 1
Cross-signed Amazon Root CA 3
These certificates did not work at all. No signer error was coming. Then I was told to use starfield root ca and then I downloaded this one-
Starfield Class 2 Certification Authority from here -
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

This is working. Can anyone explain to me what's the difference between all these roots ca and why this one is working and not the amazon root ca? And, what's the expiry date of this root ca?

Thanks

Akhilesh

1 Answer
0
Accepted Answer

Hi Akhilesh,

Thank you for reaching out.

The Starfield Root CA certificate is a publicly trusted root certificate that has been in existence for a while and is present in most standard trust stores. The other Amazon root CAs are also publicly trusted root certificates, but are slightly newer additions to trust stores. As you mentioned, they are cross-signed by the Starfield root to provide a seamless transition while the Amazon root certificates are becoming ubiquitously included in trust stores.

The IoT servers will present a certificate chain containing the cross-signed ATS root CA as well as the Starfield intermediate CAs. As per our documentation on server authentication, some clients will allow authentication if and only if the root CA certificate is in the trust store. Using an intermediate certificate on these clients will yield an authentication failure.

The Starfield root CA has an expiration date of Dec 31 23:59:59 2037 GMT. CA certificates have an expiration date after which they cannot be used to validate a server's certificate. CA certificates might have to be replaced before their expiration date. We recommend that you make sure that you can update the root CA certificates on all of your devices or clients to help ensure ongoing connectivity and to keep up to date with security best practices.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions