search

aws-samples / aws-device-lobby

Flexible onboarding and routing of IoT devices to any IoT Core account and region using a QR code.
MIT No Attribution
19 stars 4 forks source link

Device certificates are created with extra permissions #7

Open bgklika opened 11 months ago

bgklika commented 11 months ago

After pki/create-thing-creds.sh creates IoT device certificate it contains extra privileges:

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:2

and

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign

It should be 

            X509v3 Basic Constraints: critical
                CA:FALSE

and

            X509v3 Key Usage: critical
                Digital Signature

I think it because wrong int1CA.cnf is used in the command:

openssl ca -batch -config int1CA.cnf -extensions v3_req -days 365 -md sha256 -in ../devices/$THING_NAME.csr.pem -out ../devices/$THING_NAME.crt.pem

Solution: provide another openssl configuration file to generate certificate for a device. That config file should miss CA:TRUE and Certificate Sign, CRL Sign rights.

bentcooke commented 9 months ago

@bgklika Thank you for raising this issue. You are correct... a separate config should be used during the cert creation. Updates to this repo will be made in the coming weeks and I will fix this.

bgklika commented 9 months ago

@bgklika Thank you for raising this issue. You are correct... a separate config should be used during the cert creation. Updates to this repo will be made in the coming weeks and I will fix this.

Sounds good! Thank you for device lobby sample that nice clarification how to build account/region agnostic IoT Core devices.