Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

The CA certificate does not have the basicConstraints extension as true

I am following this AWS GUIDE on creating self-signed certificates. But after creating my CA, I try to upload it to AWS IOT I get this error:

Command:

aws iot register-ca-certificate --ca-certificate file://CA_cert.pem --verification-cert file://verificationCert.crt

Error:

An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true

Any help appreciated!

like image 775
Aleksander Aleksic Avatar asked May 18 '18 15:05

Aleksander Aleksic


People also ask

How can I get CA certificate from Gmail?

Click the CA Manager tab. Click the name of the CA you want to issue from. On the bottom of the CA details page, click Request a certificate. Optional: If you want to use a certificate template, click create, select a template from the list, and click Save.

How do I get a CA trusted certificate?

Expand Policies > Windows Settings > Security Settings > Public Key Policies. Right-click Trusted Root Certification Authorities and select Import. Click Next and Browse to select the CA certificate you copied to the device. Click Finish and then OK.

What is Basicconstraints?

Basic Constraints is an X.509 Version 3 certificate extension and is used to identify the type of the certificate holder/subject. In the past (prior to version 3 X.509 certificates) it was impossible to identify who is the subject: CA certificate or end entity subscriber.

What does CA true mean?

So CA:TRUE, pathlen:1 means that this is a self-signed root CA and it can only issue end-user certs not subordinate CAs, since any certs they issue would have a pathlen > 1.


1 Answers

I have also used AWS IoT and suffered same error, and I found the solution.

Reason of the error

The error occurs because basicConstraints extension in the CA certificate, which means that the certificate is CA so this certificate is able to sign other public keys to generate client certificates, is not set to TRUE.

Note that a client X's certificate contains X's public key signed by CA's private key. Other clients, for example Y, can verify the X's public key using CA's public key.

I think you had the error when you tried to generate CA certificate. The error message indicates that the CA's certificate is not allowed to sign other client public keys.

Below are how I did.

Solution

I assume that you already generate CA's key, rootCA.key.

We need a openssl config file, say rootCA_openssl.conf. Note that you can modify the values.

[ req ]
distinguished_name       = req_distinguished_name
extensions               = v3_ca
req_extensions           = v3_ca

[ v3_ca ]
basicConstraints         = CA:TRUE

[ req_distinguished_name ]
countryName              = Country Name (2 letter code)
countryName_default      = KR
countryName_min          = 2
countryName_max          = 2
organizationName         = Organization Name (eg, company)
organizationName_default = Deeply Inc.

Then generate CA's certificate using the config file, rootCA_openssl.conf.

openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr -config rootCA_openssl.conf
openssl x509 -req -days 3650 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem 

Now we have CA's certificate, rootCA.pem. Then you can follow the instructions in the AWS IoT documentation. For example:

# Get the registration code for the use below: 
# $ aws iot get-registration-code 

openssl genrsa -out verificationCert.key 2048

openssl req -new -key verificationCert.key -out verificationCert.csr
# Put the registration code in Common Name field

openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256
like image 110
Han Park Avatar answered Oct 20 '22 01:10

Han Park