aws / aws-iot-device-sdk-embedded-C

SDK for connecting to AWS IoT from a device using embedded C.
MIT License
979 stars 630 forks source link

[QUESTION] How to store private key when using the provisioning demo? #1775

Closed Nomidia closed 2 years ago

Nomidia commented 2 years ago

Hi, I'm migrating my aws iot code from v4_beta to the lasted version. I was using aws_iot_demo_provisioning_with_keys_and_cert.c to provision my devices before, it will get the certificate and private key.

Now I'm using fleet_provisioning_with_csr_demo.c for provisioning, how can I store the private key? I will use the iot certificate and private key to connect to aws iot and kvs.

Thanks

johnrhen commented 2 years ago

Hello Nomidia,

You should store the Claim private key you use to connect to AWS IoT in PEM format. The demo will convert the Claim private key from PEM to DER format during its execution. All you need to do is set the "CLAIM_PRIVATE_KEY_PATH" macro to the path of the PEM-encoded key. There's a short setup guide for the Fleet Provisioning demo which you can consult, as well.

The private keys which are generated by the demo for the newly-provisioned Things are stored in DER format in the same directory that the demo runs. The generated private keys will be named "corePKCS11_Key.dat". Let us know if this answers your questions.

Thank you, John

Nomidia commented 2 years ago

Hi John,

Now I have got corePKCS11_Certificate.dat and corePKCS11_Key.dat, how should I use them to connect to iot? Because the certificate and private key are in pem format in other demos as follows

#define CLIENT_CERT_PATH    "/customer/certificates/device-certificate.pem.crt"
#define CLIENT_PRIVATE_KEY_PATH    "/customer/certificates/device-private.pem.key"
johnrhen commented 2 years ago

Unlike the other demos, the Fleet Provisioning demo uses corePKCS11 for credential management, so you do not need to define macros containing the credentials (for the Things, the Claim credentials should still be defined in the config). After the Fleet Provisioning demo generates the corePKCS11_Certificate.dat and corePKCS11_Key.dat files for a new Thing, the demo connects to IoT Core with the new DER credentials using its PKCS11 implementation of mqtt_operations.h and mqtt_operations.c.

Nomidia commented 2 years ago

I mean after getting corePKCS11_Certificate.dat and corePKCS11_Key.dat files. How should I use them in other demos, such as shadow or mqtt, and other services like kvs. Although the provisioning demo can connect to iot core after provisioning.

For example, in kvs producer, there is a interface that uses iot credential as follows: STATUS createIotCredentialProviderWithTime(PCHAR iotGetCredentialEndpoint, PCHAR certPath, PCHAR privateKeyPath, PCHAR caCertPath, PCHAR roleAlias, PCHAR thingName, GetCurrentTimeFunc getCurrentTimeFn, UINT64 customData, BlockingServiceCallFunc serviceCallFn, PAwsCredentialProvider* ppCredentialProvider); It also requires a certificate and private key in pem format.

johnrhen commented 2 years ago

If you'd like to use the credentials for the other demos, you'd have to either modify the Fleet Provisioning demo to generate PEM-encoded credentials or convert the credentials from DER to PEM after the demo has completed.

Nomidia commented 2 years ago

OK, I will modify my demo.