By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to Register SSL Certificate in AWS IoT

0

Hello,

We have received a CA certificate (TLS) chain file from an external entity which has a Root CA certificate and an intermediate CA certificate (ECU CA) which has been signed by the Root CA and also a device certificate which is signed by the ECU CA. The CA certificate chain has been registered under - AWS IoT--> Certificate Authorities. However, the device certificate registration is failing with an error message which says " The certificate is not valid"

Steps followed ** Scenario 1:**

  1. Navigate to AWS IoT--> All Devices-->Things
  2. Click on 'Create Things'
  3. Select Create one thing
  4. Provide a name
  5. Click on Next button
  6. In the "Configure device certificate" screen select 'Use my certificate' option
  7. Choose the option "CA is registered with AWS IoT
  8. Choose the CA certificate from the dropdown box
  9. Choose and upload the device certificate
  10. Click on next button
  11. In the Policies screen choose a default policy and click on 'Create thing' button
  12. The error message "An error occurred while creating the thing. ResourceRegistrationFailureException: Register thing workflow execution terminates due to: The certificate is not valid." is displayed

Scenario 2:

  1. Navigate to AWS IoT--> Security --> Certificates
  2. Choose 'Register certificates' option from the Add Certificate drop down
  3. In the "Register certificates" screen select the option "CA is registered with AWS IoT"
  4. Choose the CA certificate from the dropdown box
  5. Choose and upload the device certificate under the Certificates section
  6. Click on 'Register' button
  7. The error message "The certificate is not valid" is displayed.

Need your assistance to resolve the issue.

Thanks.

Topics
Internet of Things (IoT)Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS IoT CoreAWS Management ConsoleAWS Certificate Manager
Language
English
ravics
asked 4 months ago384 views
1 Answer
1

Hi. What's the key algorithm and signing algorithm used in the device certificate? Are you perhaps using something not supported?

https://docs.aws.amazon.com/iot/latest/developerguide/x509-client-certs.html#x509-cert-algorithms

In case you're unsure how to check, you can use openssl like this:

openssl x509 -in certificate.pem -text -noout
profile pictureAWS
EXPERT
Greg_B
answered 4 months ago
  • ravics
    4 months ago

    The signature algorithm used is : rsassaPss

  • Greg_B EXPERT
    4 months ago

    With one of the supported hash algorithms and with the mgf1 mask algorithm? And please what is the key algorithm and key size?

  • ravics
    4 months ago

    yes it is RSA with SHA256 and the key size is 4096

  • ravics
    4 months ago

    Signature Algorithm: rsassaPss Hash Algorithm: sha256 Mask Algorithm: mgf1 with sha256

  • Greg_B EXPERT
    4 months ago

    This works:

    openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 -out ca-key.pem
openssl req -x509 -new -key ca-key.pem -subj "/CN=My CA" -sha256 -out ca.pem
openssl genpkey -algorithm rsa-pss -pkeyopt rsa_keygen_bits:4096 -pkeyopt rsa_keygen_pubexp:65537 -out key.pem
openssl req -new -key key.pem -subj "/CN=My org" -sha256 -out csr.pem
openssl x509 -req -CAcreateserial -in csr.pem -sha256 -CA ca.pem -CAkey ca-key.pem -out cert.pem
aws iot register-certificate-without-ca --certificate-pem file://cert.pem

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content