aws-iot-device-sdk-embedded-C fleet_provisioning_with_csr demo how to save private key and certificate

0

I successfully run the demo fleet_provisioning_with_csr_demo but I'm not understanding how to save device.pem.crt and private.pem.key maybe someone can help?

( I also raised the ticket https://github.com/aws/aws-iot-device-sdk-embedded-C/issues/1874 )

g@cinnamon:~/git/aws-iot-device-sdk-embedded-c/build$ ./bin/fleet_provisioning_with_csr_demo 
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:1460] PKCS #11 successfully initialized.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x3 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [pkcs11_operations.c:770] Writing certificate into label "Claim Cert".
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:532] Establishing MQTT session with claim certificate...
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:544] Established connection with claim credentials.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:252] Received accepted response from Fleet Provisioning CreateCertificateFromCsr API.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:621] Received certificate with Id: XXXX
[INFO] [FLEET_PROVISIONING_DEMO] [pkcs11_operations.c:770] Writing certificate into label "Device Cert".
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:279] Received accepted response from Fleet Provisioning RegisterThing API.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:696] Received AWS IoT Thing name: mythingprefix_S1234
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:722] Establishing MQTT session with provisioned certificate...
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:737] Sucessfully established connection with provisioned credentials.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2002] Successfully closed PKCS #11 session.
[INFO] [PKCS11] [core_pkcs11_mbedtls.c:1505] PKCS #11 was successfully uninitialized.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:765] Demo iteration 1 is successful.
[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:784] Demo completed successfully.
profile picture
asked 9 months ago260 views
2 Answers
1

Hi Giuseppe. Since that demo uses a CSR for fleet provisioning, only a certificate will be generated. No new private key is created.

More information here: https://docs.aws.amazon.com/iot/latest/developerguide/fleet-provision-api.html

The demo uses the corePKCS11 library: https://github.com/FreeRTOS/corePKCS11. This is a mock implementation. A soft hardware security module. The certificate created by fleet provisioning is saved as an object within this. That is what this message refers to:

[INFO] [PKCS11] [core_pkcs11_mbedtls.c:2918] Creating a 0x1 type object.

This comes from here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/mbedtls/core_pkcs11_mbedtls.c#L2918

Which I believe works its way down to here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/os/core_pkcs11_pal_utils.c#L67

And if so, the file created by the mock PKCS11 is named as shown here: https://github.com/FreeRTOS/corePKCS11/blob/db05642c6c1f97055128f17c7962d7daf725d3c5/source/portable/os/core_pkcs11_pal_utils.c#L47

However, this is not a PEM file because PKCS11 is being simulated. It's a DER file. So you may be best advised to use the ID returned here:

[INFO] [FLEET_PROVISIONING_DEMO] [fleet_provisioning_with_csr_demo.c:621] Received certificate with Id: XXXX

And get the certificate using the CLI or console.

profile pictureAWS
EXPERT
Greg_B
answered 9 months ago
0
Accepted Answer

I added a new demo https://github.com/giuspen/aws-iot-device-sdk-embedded-C/tree/GP_fleet_provisioning_keys_cert_demo/demos/fleet_provisioning/fleet_provisioning_keys_cert based on the CreateKeysAndCertificate API where it is possible to save the new private key and certificate defining DOWNLOADED_CERT_WRITE_PATH and DOWNLOADED_PRIVATE_KEY_WRITE_PATH

profile picture
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions