Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

Greengrass security module integration using ECC keys and Multi Account Registration

0

Looking at the documentation for greengrass v2 integration with a HSM with ECC keys - it specifies Nucleus 2.5.6 or later - it also talks about using a CSR to submit to AWS for signing to allow operation. Is it possible to simply use the certificate from the HSM directly, and register this with AWS as per Multi Account Registration - so the CSR step is not required ?

1 Antwort
0
Akzeptierte Antwort

Hi there!

Yes, an X.509 certificate created from a private key in an HSM can be used without going through the CSR step (part of general provisioning). At that point you are using the PKCS#11 interface to utilize the private key. This portion of the docs covers importing an existing key/cert to an HSM, but the steps for configuring Greengrass from step 3 forward will walk you through the config.yaml, which should look like this when done:

system:
  certificateFilePath: "pkcs11:object=iotdevicekey;type=cert"
  privateKeyPath: "pkcs11:object=iotdevicekey;type=private"
  rootCaPath: "/greengrass/v2/rootCA.pem"
  rootpath: "/greengrass/v2"
  thingName: "MyGreengrassCore"

Greengrass will then use certificateFilePath and privateKeyPath for all AWS IoT operations (connect to IoT Core, AWS IoT Greengrass, and allowed Roles Alias).

AWS
beantwortet vor 2 Jahren
profile picture
EXPERTE
überprüft vor 5 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen