Confusion on Greengrass Certificate Rotation

0

I have a question around certificate rotation. As you know the MQTT server in GG uses a server certificate signed by a group CA certificate. In GG documentation it is mentioned that the certificate is rotated per the setting in greengrass (7 to 30 days). But it is not clear if it is the server certificate or the group CA itself. I found some previous posts that seem to indicate that both the group CA and server cert are rotated.

However, in my testing that doesn't seem to be the case. On creation, group CA certificate seem to show an expiry date until the end of the century (2100). The expiry date on the server certificate seemed to match the duration specified in the setting, so my guess is that the setting is for server certificate and the group CA remains the same unless manually changed. However, when you change the slider to adjust the expiration time, the server certificate on GG core doesn't seem to get updated. Can someone clarify the rotation process, which certificate is it supposed to rotate and when?

Here is the ultimate issue I am trying to solve for. I have a non Greengrass aware device that connects to Greengrass core using manually configured information (since it doesn't support discovery). I am trying to determine at what interval (or on what event) is it necessary to update the CA certificate on the client so it continues to make connection to Greengrass core MQTT broker.

AWS
已提問 3 年前檢視次數 593 次
1 個回答
1
已接受的答案

You should not need to run discovery every time the MQTT server certificate is rotated. When you do discovery, you obtain the GG root CA, which, as you mention expires in 2099. This certificate is not automatically rotated, but can be forced using the Rotate CA button in the console or by using CreateGroupCertificateAuthority. https://docs.aws.amazon.com/greengrass/latest/apireference/creategroupcertificateauthority-post.html

So, if you used the console option to Rotate the CA, you actually did generate a new CA and a new server cert which eventually required your devices to do a new discovery.

There is currently no way to force the rotation of the MQTT server certificate independently from the group CA - in order to do a test you will need to wait 7 days.

=== EDIT ===

You can also change the connectivity information for your GG group to force a server certificate rotation, as this information is part of the certificate

AWS
專家
已回答 3 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南