Menu
I am following this AWS GUIDE on creating self-signed certificates. But after creating my CA, I try to upload it to AWS IOT I get this error:
Command:
aws iot register-ca-certificate --ca-certificate file://CA_cert.pem --verification-cert file://verificationCert.crt
Error:
An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true
Any help appreciated!
775
Click the CA Manager tab. Click the name of the CA you want to issue from. On the bottom of the CA details page, click Request a certificate. Optional: If you want to use a certificate template, click create, select a template from the list, and click Save.
Expand Policies > Windows Settings > Security Settings > Public Key Policies. Right-click Trusted Root Certification Authorities and select Import. Click Next and Browse to select the CA certificate you copied to the device. Click Finish and then OK.
Basic Constraints is an X.509 Version 3 certificate extension and is used to identify the type of the certificate holder/subject. In the past (prior to version 3 X.509 certificates) it was impossible to identify who is the subject: CA certificate or end entity subscriber.
So CA:TRUE, pathlen:1 means that this is a self-signed root CA and it can only issue end-user certs not subordinate CAs, since any certs they issue would have a pathlen > 1.
I have also used AWS IoT and suffered same error, and I found the solution.
Reason of the error
The error occurs because basicConstraints extension in the CA certificate, which means that the certificate is CA so this certificate is able to sign other public keys to generate client certificates, is not set to TRUE.
Note that a client X's certificate contains X's public key signed by CA's private key. Other clients, for example Y, can verify the X's public key using CA's public key.
I think you had the error when you tried to generate CA certificate. The error message indicates that the CA's certificate is not allowed to sign other client public keys.
Below are how I did.
Solution
I assume that you already generate CA's key, rootCA.key.
We need a openssl config file, say rootCA_openssl.conf. Note that you can modify the values.
[ req ]
distinguished_name = req_distinguished_name
extensions = v3_ca
req_extensions = v3_ca
[ v3_ca ]
basicConstraints = CA:TRUE
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = KR
countryName_min = 2
countryName_max = 2
organizationName = Organization Name (eg, company)
organizationName_default = Deeply Inc.
Then generate CA's certificate using the config file, rootCA_openssl.conf.
openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr -config rootCA_openssl.conf
openssl x509 -req -days 3650 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem
Now we have CA's certificate, rootCA.pem.
Then you can follow the instructions in the AWS IoT documentation.
For example:
# Get the registration code for the use below:
# $ aws iot get-registration-code
openssl genrsa -out verificationCert.key 2048
openssl req -new -key verificationCert.key -out verificationCert.csr
# Put the registration code in Common Name field
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
