0

I am trying to create self signed X.509 certificate to use in AWS IoT. I could understand that it is not different than normal OpenSSL certificate, but i stumbled on the PEM file which AWS creates is something different. Since i am new to OpenSSL i could not figure out what i am missing

I used the below command to create private key, CSR, and server certificate

openssl req -newkey rsa:2048 -new -nodes -keyout key.pem -out csr.pem

openssl x509 -req -days 365 -in csr.pem -signkey key.pem -out server.crt

If i upload csr.pem in AWS IoT console it accepts, but i could not use this file to connect MQTT.

If i upload server.crt in AWS IoT it complains that its not in CSR format it is understandable.

What wonders me is once i upload csr.pem in AWS IoT console, i could download a file xxxx.pem.crt from the console. This file works perfectly when i use to connect to MQTT. I am not sure how to create this file.

My use case is not to depend on AWS to generate this file.

Reference: http://docs.aws.amazon.com/iot/latest/developerguide/identity-in-iot.html

Community
  • 1
  • 1
Virtu
  • 130
  • 1
  • 7
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. Perhaps [Super User](http://superuser.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) and [Best StackExchange site for asking about Amazon AWS](http://meta.stackexchange.com/q/141942). – jww Dec 27 '15 at 07:26

1 Answers1

1

Can you try these for a basic test: 

openssl genrsa -out privkey.pem 2048
openssl req -new -key privkey.pem -out cert.csr

You can then use the CLI to create from a CSR. http://docs.aws.amazon.com/iot/latest/apireference/API_CreateCertificateFromCsr.html

Kyle Roche
  • 426
  • 3
  • 3
  • i agree with this. One of my main point is to understand whether i have to dependent on AWS to get final CSR. And i understood yes i have to. Thanks. – Virtu Jan 21 '16 at 01:34
  • 1
    Virtu, I'd be very interested in learning how you'd see this process improve so we could consider it on the short term roadmap. Would you want to bring your own signing cert or server cert? What would be ideal? – Kyle Roche Feb 01 '16 at 16:58
  • I was looking for something how SSH works. Once my public key in the server it allows me to access. In this i don't want to depend on server to give me one more certificate. This would be helpful so we can avoid the dependency of AWS to give us the certificate, rather use AWS api to send the public key and attach the private key with device itself. One more step in between is bit involved. Again i am not an expert in things involved in X.509 certificate, so i am telling in a layman terms. Thanks for listening :) – Virtu Feb 09 '16 at 14:05