[AWS IoT] CA 인증서 등록
Cloud&Container/AWS 2020. 3. 3. 20:42참고 문서)
https://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html
$ openssl genrsa -out rootCA.key 2048
$ openssl req -x509 -new -extensions v3_ca -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Country Name (KR) []:KR
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:
Email Address []:
$ openssl genrsa -out verificationCert.key 2048
$ aws iot get-registration-code
{
"registrationCode": "879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878"
}
$ openssl req -new -key verificationCert.key -out verificationCert.csr
Country Name (KR) []:KR
State or Province Name (full name) []:
Locality Name (eg, city) []:
Organization Name (eg, company) []:
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
$ openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
$ aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem
{
"certificateArn": "arn:aws:iot:ap-northeast-2:99999999999:cacert/879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878",
"certificateId": "879216d3f0b9fee2e0947fe32fd4ed9670d65fa9aff3e67e590582db30f62878"
}
$ cat /etc/ssl/openssl.cnf
[ req ]
#default_bits = 2048
#default_md = sha256
#default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
extensions = v3_ca # 추가 설정
req_extensions = v3_ca # 추가 설정
attributes = req_attributes
[ v3_ca ]
basicConstraints = CA:TRUE # 추가 설정
[ req_distinguished_name ]
countryName = Country Name (KR)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, fully qualified host name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
위 테스트는 맥북에서 진행 된 것입니다.
Ubuntu 에서는 별도 설정 변경 없이 잘 되는 것으로 이야기 들었습니다.
저 위에 빨간색 부분이 달라 계속 오류가 발생을 했었습니다.
[에러메시지]
An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid.
The CA certificate does not have the basicConstraints extension as true