Greengrass security module integration using ECC keys and Multi Account Registration

Question

Looking at the  [documentation](https://docs.aws.amazon.com/greengrass/v2/developerguide/manual-installation.html) for greengrass v2 integration with a HSM with ECC keys - it specifies Nucleus 2.5.6 or later - it also talks about using a CSR to submit to AWS for signing to allow operation.
Is it possible to simply use the certificate from the HSM directly, and register this with AWS as per Multi Account Registration - so the CSR step is not required ?

Accepted Answer

Hi there!

Yes, an X.509 certificate created from a private key in an HSM can be used without going through the CSR step (part of general provisioning). At that point you are using the PKCS#11 interface to utilize the private key. [This portion of the docs](https://docs.aws.amazon.com/greengrass/v2/developerguide/hardware-security.html#enable-hardware-security) covers importing an existing key/cert to an HSM, but the steps for configuring Greengrass from step 3 forward will walk you through the `config.yaml`, which should look like this when done:

```yaml
system:
  certificateFilePath: "pkcs11:object=iotdevicekey;type=cert"
  privateKeyPath: "pkcs11:object=iotdevicekey;type=private"
  rootCaPath: "/greengrass/v2/rootCA.pem"
  rootpath: "/greengrass/v2"
  thingName: "MyGreengrassCore"
```

Greengrass will then use `certificateFilePath` and `privateKeyPath` for all AWS IoT operations (connect to IoT Core, AWS IoT Greengrass, and allowed Roles Alias).

Greengrass security module integration using ECC keys and Multi Account Registration

Relevanter Inhalt