By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Using Private CA In AWS IoT

0

Hello,

For Authentication of Things in IoT we can use Certificate Signing Requests that then get signed using Amazon's WebServices Certificate which in turn is signed by one the Amazons Root CA's.

We've found out that because we can't download the intermedia Root Cert:
issuer= /OU=Amazon Web Services O=Amazon.com Inc. L=Seattle ST=Washington C=US

that we cannot use this certificate for anything else (for example as certificate for WiFi EAP-TLS.

So now we are looking at using a Private CA.

We don't want to double up on management of certificates for our devices (Provisioning is difficult enough as it is) so we would like to use our own AWS instance of a private CA for both EAP-TLS identification and IoT identification.

In setting the CA in IoT i haven't found a way on how to point it to a CA that is managed by AWS Private CA.

is this possible ? Is there a way to like our private CA to be also used by AWS IoT ?
Or do we have to start all the way from scratch and have to generate the root CA ourselves first using OpenSSL ?

Thanks,
Tom

Topics
Internet of Things (IoT)
Tags
AWS IoT Core
Language
English
clogwog
asked 4 years ago1003 views
5 Answers
0
Accepted Answer

Sorry for the issue, currently AWS IoT does not support using ACM's Private CA's while generating certificates in CreateKeysAndCertificate API. However, you can generate a certificate signed by the private CA and register with AWS IoT without proving the CA (token etc.). We have a feature called Multi Account Registration[1] certificates that will allow you to register the certificates without proving CA ownership.

Hope it helps,

[1] - https://aws.amazon.com/about-aws/whats-new/2020/04/simplify-iot-device-registration-and-easily-move-devices-between-aws-accounts-with-aws-iot-core-multi-account-registration/

AWS
AWS-User-3247576
answered 4 years ago
0

Hi,

During device creation, in the certificate step, you can select "Use my certificate". Isn't that what you're looking for?

Edited by: SebastiaanM on Sep 7, 2020 4:29 AM

SebastiaanM
answered 4 years ago
0

Hi,

When i select 'Use my certificate' it first asks me to :

"Select or register the CA certificate used to sign your device certificates. To use device certificates that are not signed by a registered CA"

under that is has no option to select my Private CA that i just generated in AWS Private CA.

If i then select "Register CA" it asks me to sign a 'token' with my private CA (to prove i'm the owner of the CA) using OpenSSL.
Seeing i created the Private CA inside the AWS environment, i do not have access to the private key...

I was expecting to see an integration of AWS Private CA and AWS IoT..

am i expecting too much ?

clogwog
answered 4 years ago
0

Hi,

I am not familiar with AWS Private CA, but it seems to allow creation of private CA's (which fall under the root CA's of Amazon). So, indeed, if you directly use a root CA as authority, you can't have its private key. But for a private subordinate CA, that should be possible, so you can download all info and use the required SSL commands to register that CA in AWS IOT?

Maybe a bit cumbersome though, I agree.

BR,
Sebastiaan

SebastiaanM
answered 4 years ago
0

Hi,

Thank you for your response. I really appreciate it.

we only created 1 root Private CA in AWS Private CA and it doesn't fall under the Amazon RootCA's..It's a self signed Root CA certificate.

Fair enough that i cannot access the private key, as you would like to use Amazons hardware storage for private keys,
but they should at least be able to hand it over to AWS IoT without having to first generate your own Root Ca using openssl and loosing the only reason for paying for Private Root CA.

I wonder if they just haven't gotten to integrating Private CA with IoT yet..
You can use it for pure SSL certs like in Elastic Load Balancing and plain AWS web servers.

But for anything non-standard (like using it in AWS-IoT or exporting certs for EAP-TLS), we can not even use the Certificate Manager.

I was hoping i was missing something, but i think it may not be worth the money in our case.
[Amazon official please prove me wrong !!]

clogwog
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content