client cert creation ACM PCA issue-certificate vs AWS IoT issue create-certificate-from-csr

0

Goal : Create client certificate based on CSR request

Our device is capable of generating a self signed cert and can returns CSR for the certificate in base64 encoded DER blob.

With CSR (base64 encoded DER blob) we are able to successfully generate the client certificate using AWS IoT API as below and use to connect to AWS MQTT test client

aws iot create-certificate-from-csr --certificate-signing-request=file://certificate.csr

But if we use the same CSR (base64 encoded DER blob) AWS ACM PCA API as below, we get a CSR validation error

aws acm-pca issue-certificate --certificate-authority-arn “arn:aws:acm-pca:us-east-...” --csr file://certificate.csr --signing-algorithm SHA384WITHECDSA --template-arn arn:aws:acm-pca:::template/EndEntityCertificate/V1 --validity Value=9,Type="YEARS" --idempotency-token 1234

From my understanding, AWS ACM PCA, in issue-certificate API call, expects the CSR to be in https://www.rfc-editor.org/rfc/rfc7468#section-7 format

  • Why is there such a difference between AWS own services?
  • What's the standard and recommended way so that we do not have 2 different formats across services?
  • Is there any configuration on AWS IoT/PCA services to make them respond similarly?
已提問 1 年前檢視次數 499 次
2 個答案
0

Hi,

We get the same error even with the option you suggested with AWS CLI version 2.9 Any other suggestions?

Regards Sriram

已回答 1 年前
  • Can you provide the exact error message that you get?

  • error occurred (ValidationException) when calling the IssueCertificate operation: 1 validation error detected: Value at 'csr' failed to satisfy constraint: Member must satisfy regular expression pattern: -----BEGIN CERTIFICATE REQUEST-----\r?\n([A-Za-z0-9/+]{64}\r?\n)*[A-Za-z0-9/+]{1,64}={0,2}\r?\n-----END CERTIFICATE REQUEST-----(\r?\n)?.

    As mentioned in my original question, CSR content sent to either API calls is same but one throws validation error and the other doesn't.

  • Can you try fileb://... instead of file://...

  • We already tried that with similar response, we believe the issue is with expecting the line length to be of size 64? We referred to the issue discussion while trying that https://github.com/aws/aws-cli/issues/5011

  • Can you share the (openssl) commands to create the key pair and csr? (Not the content of your files).

0

Hi bsriramprasad,

are you using the AWS CLI version 2? If yes try to add --cli-binary-format raw-in-base64-out to your command to issue the certificate.

Cheers,
Philipp

AWS
專家
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南