How to use certificate created with openssl

[matart15]

I am using version 1.

certificates are created by this method

openssl genrsa -out privatekey.pem 2048
openssl req -new -subj "/C=JP/ST=Tokyo/L=Chiyodaku/O=MyCompany/CN=AWS IoT Certificate" -key privatekey.pem -out cert.csr

which gave me 3 files.

-rw-r--r--   1 matar  staff   997B Apr 18 09:51 cert.csr
-rw-r--r--   1 matar  staff   3.2K Mar 14 19:52 key_name.key
-rw-r--r--   1 matar  staff   1.6K Apr 18 09:51 privatekey.pem

here is my code

import {device as  deviceModule} from "aws-iot-device-sdk"

const AwsIotDeviceSetting = {
  host: "********-ats.iot.ap-northeast-1.amazonaws.com",
  keyPath: 'certs/key_name.key',
  certPath: 'certs/private.pem',
  caPath: 'certs/root-CA.crt',
  clientId: "raspi",
  region: "ap-northeast-1"
}
  const device = new deviceModule(AwsIotDeviceSetting);
  device.on('error',(error: Error | string) => {
    console.log("error", error)
  });
  device.on('connect', function() {
    device.subscribe(TOPIC.unlockDaytime);
    device.subscribe(TOPIC.unlock);
    console.log("listening all")
  });

gives this error.

| Error: error:0909006C:PEM routines:get_name:no start line
|     at Object.createSecureContext (_tls_common.js:135:17)
|     at Object.connect (_tls_wrap.js:1130:48)
|     at Object.buildBuilder [as mqtts] (/home/pi/<proj-name>/node_modules/aws-iot-device-sdk/device/lib/tls.js:26:21)
|     at MqttClient._wrapper [as streamBuilder] (/home/pi/<proj-name>/node_modules/aws-iot-device-sdk/device/index.js:642:33)
|     at MqttClient._setupStream (/home/pi/<proj-name>/node_modules/aws-iot-device-sdk/node_modules/mqtt/lib/client.js:298:22)
|     at new MqttClient (/home/pi/<proj-name>/node_modules/aws-iot-device-sdk/node_modules/mqtt/lib/client.js:277:8)
|     at new DeviceClient (/home/pi/<proj-name>/node_modules/aws-iot-device-sdk/device/index.js:645:17)
|     at listenAwsIotTopic (/home/pi/<proj-name>/dist/index.js:90:20)
|     at Object.<anonymous> (/home/pi/<proj-name>/dist/index.js:111:1)
|     at Module._compile (internal/modules/cjs/loader.js:778:30)

according to this article, certificate that does not created by AWS GUI not works. ( Sorry it is japanese. could not find english source. ).

Can you give me example of how to use certificate created by openssl.

[matart15]

My code works if I use AWS GUI generated certificates.

Somehow AWS GUI gives me 5 files.

[jmklix]

Here is a quick explanation of the certificates that you are seeing:

• AmazonRootCA1.pem and AmazonRootCA3.pem
  • You only need one. These are pre-generated and distributed by Amazon
• iot-certificate.pem.crt
  • This is the certPath
• iot-private.pem.key
  • This is the keyPath
• iot-public.pem.key
  • You don't need this when running your program

examples of what using the certs should look like:

• how it might look like given your code sample

const AwsIotDeviceSetting = {
 host: "********-ats.iot.ap-northeast-1.amazonaws.com",
 keyPath: 'certs/iot-private.pem.key',
 certPath: 'certs/iot-certificate.pem.crt',
 caPath: 'certs/AmazonRootCA1.pem',
 clientId: "raspi",
 region: "ap-northeast-1"
}

• what it would look like if you use this cert to run the pub_sub sample

node aws-iot-device-sdk-js-v2/samples/node/pub_sub/dist/index.js --endpoint ********-ats.iot.ap-northeast-1.amazonaws.com --ca_file certs/AmazonRootCA1.pem --cert certs/iot-certificate.pem.crt --key certs/AmazonRootCA1.pem

You should also take a look here if you want to learn more about client certificates and AWS IoT. Does this answers your question?

[matart15]

@jmklix

Sorry my comment made question confusing.

As My comment mention, It works with AWS GUI created certificastes. Which is your answer.

What I can't make it work is openssl created certificates.

I looked at this docs. was not very helpful

[jmklix]

You need to do multiple steps to correctly generate and register certificates that you generate. Here is a summarized version of what you need to do to generate certs with an unregistered CA cert. That is just rewording what is in the docs that I linked earlier. Does following those steps allow you to successfully generate your own certificates with openssl?

[matart15]

ok i will try that again. for now I am using aws gui created certs.

…

On Thu, Apr 21, 2022 at 9:23 Joseph Klix ***@***.***> wrote: You need to do multiple steps to correctly generate and register certificates that you generate. Here <aws/aws-iot-device-sdk-python-v2#250 (comment)> is a summarized version of what you need to do to generate certs with an unregistered CA cert. That is just rewording what is in the docs that I linked earlier. Does following those steps allow you to successfully generate your own certificates with openssl? — Reply to this email directly, view it on GitHub <#238 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEB5BE3OC5SM7WKSZ2ZKWFLVGCNYBANCNFSM5TUWM3YQ> . You are receiving this because you authored the thread.Message ID: ***@***.*** .com>

[jmklix]

Here is a guide on how to generate certificates for some of the different use cases. Please let me know if you have any questions after looking at this.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.