获取 IoT 核心事物的 AWS 根证书

Getting AWS Root Certificates for IoT Core Thing

AWS IoT Core 我创建了一个 thing,为这个东西创建了一个 Policy ,为事物创建了一个 证书,并将策略附加到证书。

之后我下载了证书的.crt.key文件我验证了它们是否与以下命令匹配:

(openssl x509 -noout -modulus -in certificate.pem.crt | openssl md5 ; openssl rsa -noout -modulus -in private.pem.key | openssl md5) | uniq

并返回一个散列,表明它们匹配

(stdin)= 97c1a8816c35acbfgt04f325aeacae6

唯一剩下的就是找到 根 CA,我的东西证书就是用它签名的。

我找到了服务器证书的 AWS 开发人员指南 here 并且我下载了 VeriSign Class 3 Public 主要 G5 根 CA 证书,我将其重命名为 rootCA.pem.

但是当我运行使用以下命令进行验证CA的测试时:

openssl s_client -connect <my ID>.iot.ap-southeast-2.amazonaws.com:8443 / -CAfile /etc/mosquitto/certs/rootCA.pem / -cert /etc/mosquitto/certs/certificate.pem.crt / -key /etc/mosquitto/certs/private.pem.key

我收到此响应,错误为无法获取本地颁发者证书(见下文)

CONNECTED(00000003)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 ECC 256 bit SSL CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlTCCAzygAwIBAgIQGw ...
——END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2398 bytes and written 1448 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: EB3B32C8 …
    Session-ID-ctx: 
    Master-Key: 783A17EB6 …
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1587558792
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---

有人知道如何为我的 thing 证书获取 Root CA 吗?

谢谢


编辑:

感谢 Ben T's 建议,我在 孟买地区 创建了一个新的 thing。令人惊讶的是,我现在可以看到一个选项,可以直接从证书创建屏幕(见下文)

下载 根证书

在 运行 openssl s_client -connect 之后又用新的 certs/key 我终于得到了 verify return:1

太棒了

Verisign 证书用于遗留端点。

您应该为 Amazon Trust Services 端点使用更新的证书。例如https://www.amazontrust.com/repository/AmazonRootCA1.pem

的那个

https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs

All new AWS IoT Core regions, beginning with the May 9, 2018 launch of AWS IoT Core in the Asia Pacific (Mumbai) Region, serve only ATS certificates.