Unable to authenticate to AWS IoT using private CA



I'm having a hard time authenticating to my basic AWS IoT endpoint using certificates generated by my own (Non AWS) CA.

I have registered my subordinate CA by completing the steps outlined in this document https://docs.aws.amazon.com/iot/latest/developerguide/create-CA-verification-cert.html?icmpid=docs_iot_console_secure_ca_reg.

The certificate authority has been set to active in the console.

I am attempting to use the AWS MQTT Mutual Auth demo, and the header file has been modified to use the correct certs and target the correct endpoint.

For context, the demo succeeds when using a certificate generated by AWS and providing the AmazonRootCA1.crt as the CA File.

However, even after manually registering my generated certificate (where the CN matches the name of the device it is attached to) and attaching the same policy used for the AWS generated cert, I keep getting a TLS handshake fail.

I can get a openssl s_client -connect to succeed by supplying the same certificates I am using in the demo as outlined here https://docs.aws.amazon.com/iot/latest/developerguide/diagnosing-connectivity-issues.html.

I have tried adding both the intermediate and root ca certs in the device cert to complete the trust chain but still no luck as well.

Any input would be greatly appreciated!!

2 Answers

Hi mcjesse. What CA cert are you passing to the Mutual Auth demo? It should still be AmazonRootCA1.crt. Just clarifying on that point because people often get confused about it.

profile pictureAWS
answered 2 years ago
  • I am indeed using the AmazaonRootCa1.crt for the CA cert in the demo

  • Can you please share the output from the mutual auth demo?

  • Hey Greg, apologies for the delay. I uploaded a screencap of the output from the demo run with the registered device cert and AWS root cert.


Enter image description here

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions