Hi,
We are trying to register a self signed X.509 for client authentication to aws iot core (aws iot register-certificate) but we get the error "The key in the certificate is not valid".
The problem seems related to the length of the key, it's 1024 bits, we have no problems register a certificate with 2048 bits key. Signing algorithm is "SHA-256 with RSA".
Here there is a note about the key length of the CSR request, no mention about the key length of a self-signed certificate:
https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html
How can register a self signed certificate with 1024 bits key length?
Thanks in advance for support
Reason for this question:
We have an old device with few calculation resources, connection to the broker using a 2048 bits key length client certificate takes 10 secs, using a client certificate with 1024 bits key takes 4 seconds, we measured using another broker not aws iot. We know 1024 bits key is not the best key but 10 seconds to connect is two much.
Hi Philipp,
The note also refers to the CreateCertificateFromCsr API and this confuses me, we are creating self-signed certificates instead. So this rule also applies to self-signed certificates?
Thank you for the custom authentication suggestion, we are considering this.
Best Regards, Sam
Hi Sam. You will find confirmation here: https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-device-cert-key-quality.html
I agree that perhaps the basic requirements set out there could also be listed on the link you gave. Please consider to use the Feedback button on that page.
Hi Greg,
Thank you for the confirmation, feedback sent.
We explored other ways and connection with a ECC key from NIST P-256 (curve secp256r1) takes 5 secs, it's more secure than RSA 1024 and good enough for our requirements.
We can share this link, we found it very usefull for optimization parameters: https://csrc.nist.gov/csrc/media/events/lightweight-cryptography-workshop-2015/documents/presentations/session7-vincent.pdf
Thanks again,
Best Regards, Sam
Thanks for the link Sam. Interesting document.