Goal : Create client certificate based on CSR request
Our device is capable of generating a self signed cert and can returns CSR for the certificate in base64 encoded DER blob.
With CSR (base64 encoded DER blob) we are able to successfully generate the client certificate using AWS IoT API as below and use to connect to AWS MQTT test client
aws iot create-certificate-from-csr --certificate-signing-request=file://certificate.csr
But if we use the same CSR (base64 encoded DER blob) AWS ACM PCA API as below, we get a CSR validation error
aws acm-pca issue-certificate --certificate-authority-arn “arn:aws:acm-pca:us-east-...” --csr file://certificate.csr --signing-algorithm SHA384WITHECDSA --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 --validity Value=9,Type="YEARS" --idempotency-token 1234
From my understanding, AWS ACM PCA, in issue-certificate API call, expects the CSR to be in https://www.rfc-editor.org/rfc/rfc7468#section-7 format
- Why is there such a difference between AWS own services?
- What's the standard and recommended way so that we do not have 2 different formats across services?
- Is there any configuration on AWS IoT/PCA services to make them respond similarly?
Can you provide the exact error message that you get?
error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.
As mentioned in my original question, CSR content sent to either API calls is same but one throws validation error and the other doesn't.
Can you try
fileb://...
instead offile://...
We already tried that with similar response, we believe the issue is with expecting the line length to be of size 64? We referred to the issue discussion while trying that https://github.com/aws/aws-cli/issues/5011
Can you share the (openssl) commands to create the key pair and csr? (Not the content of your files).