Closed reubenmiller closed 8 months ago
In addition, AWS IoT generates certificates signed by AWS Root CA, so in order to have a private CA, we have to use another service, like AWS Private CA.
This PR proposes an implementation to create a CSR for the device certificate. The question I have regarding this proposal is: "is a CSR generated implicitly along the self-signed certificate" or "would an explicit command less confusing"? Indeed, having a CSR plus a self-signed certificate might be confusing for the users even there is nothing wrong on that.
What i was going for in the POC was having a flag for the certificate create command, e.g. tedge cert create --ca aws
, with a value for a specific CA provider, like aws
. The command would then handle obtaining a certificate signed by this CA using this CA's preferred method (so for AWS IoT it would be using create_certificate_form_csr function from aws_iot_sdk crate) and then installing the signed certificate in /etc/tedge/device-certs/tedge-certificate.pem
path.
What i was going for in the POC was having a flag for the certificate create command, e.g.
tedge cert create --ca aws
, with a value for a specific CA provider, likeaws
. The command would then handle obtaining a certificate signed by this CA using this CA's preferred method (so for AWS IoT it would be using create_certificate_form_csr function from aws_iot_sdk crate) and then installing the signed certificate in/etc/tedge/device-certs/tedge-certificate.pem
path.
This functionality was implemented in the following commit on pki-poc
branch of my fork: https://github.com/Bravo555/thin-edge.io/commit/aedb1c2e456c13081c08bc82a5e3aa4aff26dd6f
Step 1: Export/Import of root/intermediate signing certificate
1. Configure then export the root/intermediate signing certificate from AWS IoT 2. Import the certificate using the Cumulocity IoT Device Management Application under "Trusted Certificates". Enable auto-registration of devices.
I don't think that it's possible to do in AWS IoT. The certificate used for signing client certificates is not viewable anywhere, as far as I know, and is used only for verifying the identity of clients connecting to AWS IoT core itself, so while it could be useful if AWS IoT support ever gets merged, it wouldn't be of any use to Cumulocity.
Similarly with AWS Private CA, the pricing is high, and it's another thing entirely, so I expect this also won't be a good fit for Cumulocity, because instead of just one intermediate CA per tenant that we can import client side, this is just one Root CA that we would have either import globally into Cumulocity, or we would have to manually implement generating 1 intermediate cert per user and making it available for the user to import into their Cumulocity tenant??? Anyway this doesn't make use of AWS IoT at all.
So I would consider AWS dead end in that regard, and maybe look into Azure.
However a “not feasible” is just as valuable from a POC. We’ll double check the work before we close the ticket just to be sure. But thanks for the effort :)
Following a discussion with @Bravo555 .
aws-sdk-acmpca
and notably the issue certificate operation.For this POC:
tedge cert create --ca aws
using issue certificate aws-sdk-acmpca
operation and assuming that a private CA has been created beforehand.Closing as the original scope of the POC has been fulfilled. The conclusion was that it is not possible to re-use the AWS certificate authority in Cumulocity IoT.
Useful aspects mentioned in this ticket, such as a cli command to create a CSR, will be configured in a new ticket.
Is your feature request related to a problem? Please describe.
Proof-of-concept: Can AWS IoT be used as PKI for device registration in Cumulocity?
Goal here is to:
pki plugin interface
could look like forthin-edge.io
to enable multiple PKI providersDescribe the solution you'd like
The following describes the general idea for the proof-of-concept. Please note that I don't know the current process that is used when connecting devices to AWS IoT, so please adapt the sections accordingly to what is possible.
Initial User setup
The exact details will be dependent on what is possible in AWS, e.g. is it possible to export the root/intermediate certificate which is used to sign all device certificates before a device has been registered?
Before the device registration can occur, the root or intermediate signing certificate should be exported from AWS IoT and imported into Cumulocity IoT. This would allow devices to re-use the AWS IoT signed certificates when registering with Cumulocity IoT.
Step 1: Export/Import of root/intermediate signing certificate
Step 2: Device registration with AWS IoT
Since I don't know the AWS IoT specifics, I don't know how this exactly works, so there might or might not be a CSR used to do this, if there isn't then just ignore the CSR stuff.
Step 3: Device registration with AWS IoT
The same general process can also be described in the following sequence diagram.
Additional context
There are already two AWS proof-of-concepts (PoCs) which show how
thin-edge.io
can connect to AWS IoT. This could provide insights on the AWS IoT device registration process.Info: Certificate Signing Request (CSR)
A Certificate Signing Request is the process where a locally generated key is generated, but the key is not yet recognised by any external system (nor should the key leave the device!). The device creates a CSR file based on the key, an example of this is shown below:
The CSR file is then used to request to retrieve the public certificate via a request to the PKI. If the PKI request is successful, then the PKI returns a public certificate which is signed by some root or intermediate certificate. The root or intermediate certificate is the one that validates that the device is somewhat "trusted", and can be used to validate the registration requests from a device using a device certificate signed by the "trusted" certificate, that it is ok to communicate with.
This has the benefit that individual device certificates do not have to be individually uploaded to the server (e.g. Cumulocity IoT).