6

I'm trying to set up AWS IoT authentication with using my own certificate according to the docs. I've managed to register a CA, enabled it as well as set it to auto-register. Also, created device cert & key according to the docs. When I first connect my device using the freshly generated key & cert it won't work. No sign of connection. It should publish a message to the $aws/events/certificates/registered/caCertificateID topic. In the MQTT console I'm unable to see anything in that topic. I've also tried attaching a template according to the JIT provisioning docs, same, no luck, doesn't seem anything to be happening.

When I manually register the device cert (aws iot register-certificate --certificate-pem file://deviceCert.pem --ca-certificate-pem file://rootCA.pem) it is then able to connect to AWS.

What is going wrong?

haxpanel
  • 303
  • 1
  • 6

2 Answers2

6

Keep in mind, that when connecting the first time and trying to register a certificate with JIT you have to provide not only the device certificate but also the CA certificate you used to sign your device certificate (your CA in this case). You can combine the 2 certificates with

cat deviceCert.crt caCert.crt > deviceAndCA.crt

as explained here.

OK, I'm a little late to the party as this question is a couple of months old, but I guess it still deserves an answer. I ran into the same problem and spent quite some time searching for the mistake.

Artem Khatchatourov
  • 76
  • 1
  • 2
2

I ran into a similar problem with a different solution

If you create a certificate using a default openssl.cnf, or some other mechanism that generates an SSL certificate such as PHP's openssl_csr_sign, make certain your generated certificate does not have the x509_extensions set to make a CA certificate.

After three days of banging my head against the wall, I discovered that Amazon IoT will reject any device certificate that has CA:true set. Use OpenSSL to verify:

openssl x509 -in deviceCertificate.pem -text -noout

You should see something like this:

 X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE

I hope this helps someone save some time.

SynaTree
  • 121
  • 1