aws-iot-device-sdk-embedded-C fleet_provisioning_with_csr demo how to save private key and certificate
I successfully run the demo fleet_provisioning_with_csr_demo but I'm not understanding how to save device.pem.crt and private.pem.key maybe someone can help?
( I also raised the ticket https://github.com/aws/aws-iot-device-sdk-embedded-C/issues/1874 )
g@cinnamon:~/git/aws-iot-device-sdk-embedded-c/build$ ./bin/fleet_provisioning_with_csr_demo
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:1460] PKCS #11 successfully initialized.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x3 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [pkcs11_operations.c:770] Writing certificate into label "Claim Cert".
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:532] Establishing MQTT session with claim certificate...
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:544] Established connection with claim credentials.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:252] Received accepted response from Fleet Provisioning CreateCertificateFromCsr API.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:621] Received certificate with Id: XXXX
[INFO] [FLEET_PROVISIONING_DEMO] [pkcs11_operations.c:770] Writing certificate into label "Device Cert".
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:279] Received accepted response from Fleet Provisioning RegisterThing API.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:696] Received AWS IoT Thing name: mythingprefix_S1234
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:722] Establishing MQTT session with provisioned certificate...
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:737] Sucessfully established connection with provisioned credentials.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2002] Successfully closed PKCS #11 session.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:1505] PKCS #11 was successfully uninitialized.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:765] Demo iteration 1 is successful.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:784] Demo completed successfully.
- Newest
- Most votes
- Most comments
Hi Giuseppe. Since that demo uses a CSR for fleet provisioning, only a certificate will be generated. No new private key is created.
More information here: https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html
The demo uses the corePKCS11 library: https://github.com/FreeRTOS/corePKCS11. This is a mock implementation. A soft hardware security module. The certificate created by fleet provisioning is saved as an object within this. That is what this message refers to:
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.
This comes from here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/mbedtls/core_pkcs11_mbedtls.c#L2918
Which I believe works its way down to here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/os/core_pkcs11_pal_utils.c#L67
And if so, the file created by the mock PKCS11 is named as shown here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/os/core_pkcs11_pal_utils.c#L47
However, this is not a PEM file because PKCS11 is being simulated. It's a DER file. So you may be best advised to use the ID returned here:
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:621] Received certificate with Id: XXXX
And get the certificate using the CLI or console.
I added a new demo https://github.com/giuspen/aws-iot-device-sdk-embedded-C/tree/GP_fleet_provisioning_keys_cert_demo/demos/fleet_provisioning/fleet_provisioning_keys_cert based on the CreateKeysAndCertificate API where it is possible to save the new private key and certificate defining DOWNLOADED_CERT_WRITE_PATH and DOWNLOADED_PRIVATE_KEY_WRITE_PATH
Relevant content
- asked 10 days ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- Can I use ACM to issue private certificates when the AWS Private CA validity is less than 13 months?AWS OFFICIALUpdated 5 months ago
Many thanks for your answer, unfortunately on the embedded device I don't have the CLI but merely the lightweight embedded C SDK. I'm trying for example to run the other demo https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/main/demos/mqtt/mqtt_demo_mutual_auth using credentials generated from https://github.com/aws/aws-iot-device-sdk-embedded-C/tree/main/demos/fleet_provisioning/fleet_provisioning_with_csr now that would have been a practical demo for the provisioning by claim.
Although the C SDK libraries are intended for constrained MCUs, the C SDK demos are not. Per the README: