search

thin-edge / thin-edge.io

The open edge framework for lightweight IoT devices
https://thin-edge.io
Apache License 2.0
221 stars 54 forks source link

POC: Reusing AWS IoT as PKI for device registration with Cumulocity IoT #1658

Closed reubenmiller closed 8 months ago

reubenmiller commented 1 year ago

Is your feature request related to a problem? Please describe.

Proof-of-concept: Can AWS IoT be used as PKI for device registration in Cumulocity?

Goal here is to:

Describe the solution you'd like

The following describes the general idea for the proof-of-concept. Please note that I don't know the current process that is used when connecting devices to AWS IoT, so please adapt the sections accordingly to what is possible.

Initial User setup

The exact details will be dependent on what is possible in AWS, e.g. is it possible to export the root/intermediate certificate which is used to sign all device certificates before a device has been registered?

Before the device registration can occur, the root or intermediate signing certificate should be exported from AWS IoT and imported into Cumulocity IoT. This would allow devices to re-use the AWS IoT signed certificates when registering with Cumulocity IoT.

Step 1: Export/Import of root/intermediate signing certificate

  1. Configure then export the root/intermediate signing certificate from AWS IoT
  2. Import the certificate using the Cumulocity IoT Device Management Application under "Trusted Certificates". Enable auto-registration of devices.

Step 2: Device registration with AWS IoT

  1. Device registers itself with AWS IoT (so that it can get a device certificate)

Since I don't know the AWS IoT specifics, I don't know how this exactly works, so there might or might not be a CSR used to do this, if there isn't then just ignore the CSR stuff.

Step 3: Device registration with AWS IoT

  1. Device registers itself with AWS IoT (not sure on the exact specifics, the user might need to pre-register the device in AWS). Hopefully after this process, there is a device certificate on the filesystem that can be used in the communication with Cumulocity IoT
  2. Configure the device to connect to Cumulocity IoT using the same certificate from step 1
  3. Device connects to Cumulocity IoT

The same general process can also be described in the following sequence diagram.

sequenceDiagram
    actor User
    participant device as Device
    participant aws as AWS IoT
    participant c8y as Cumulocity IoT

    Note right of User: Setup
    User ->> aws: Request export Root/Intermediate certificate
    aws -->> User: Root/Intermediate certificate
    User ->> c8y: Import Root/Intermediate certificate as Trusted Certificate

    Note right of device: Device Registration
    device ->> device: Create a private key
    device ->> aws: Send Certificate Signing Request (CSR)
    aws -->> device: Signed Certificate
    device ->> device: Save signed certificate to the tedge cert folder
    device ->> aws: Register Device with AWS

    device ->> c8y: Register Device with Cumulocity

Additional context

There are already two AWS proof-of-concepts (PoCs) which show how thin-edge.io can connect to AWS IoT. This could provide insights on the AWS IoT device registration process.

Info: Certificate Signing Request (CSR)

A Certificate Signing Request is the process where a locally generated key is generated, but the key is not yet recognised by any external system (nor should the key leave the device!). The device creates a CSR file based on the key, an example of this is shown below:

# Create CSR from private key
openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

The CSR file is then used to request to retrieve the public certificate via a request to the PKI. If the PKI request is successful, then the PKI returns a public certificate which is signed by some root or intermediate certificate. The root or intermediate certificate is the one that validates that the device is somewhat "trusted", and can be used to validate the registration requests from a device using a device certificate signed by the "trusted" certificate, that it is ok to communicate with.

This has the benefit that individual device certificates do not have to be individually uploaded to the server (e.g. Cumulocity IoT).

Bravo555 commented 1 year ago

In addition, AWS IoT generates certificates signed by AWS Root CA, so in order to have a private CA, we have to use another service, like AWS Private CA.

didier-wenzek commented 1 year ago

This PR proposes an implementation to create a CSR for the device certificate. The question I have regarding this proposal is: "is a CSR generated implicitly along the self-signed certificate" or "would an explicit command less confusing"? Indeed, having a CSR plus a self-signed certificate might be confusing for the users even there is nothing wrong on that.

Bravo555 commented 1 year ago

What i was going for in the POC was having a flag for the certificate create command, e.g. tedge cert create --ca aws, with a value for a specific CA provider, like aws. The command would then handle obtaining a certificate signed by this CA using this CA's preferred method (so for AWS IoT it would be using create_certificate_form_csr function from aws_iot_sdk crate) and then installing the signed certificate in /etc/tedge/device-certs/tedge-certificate.pem path.

Bravo555 commented 1 year ago

What i was going for in the POC was having a flag for the certificate create command, e.g. tedge cert create --ca aws, with a value for a specific CA provider, like aws. The command would then handle obtaining a certificate signed by this CA using this CA's preferred method (so for AWS IoT it would be using create_certificate_form_csr function from aws_iot_sdk crate) and then installing the signed certificate in /etc/tedge/device-certs/tedge-certificate.pem path.

This functionality was implemented in the following commit on pki-poc branch of my fork: https://github.com/Bravo555/thin-edge.io/commit/aedb1c2e456c13081c08bc82a5e3aa4aff26dd6f

Bravo555 commented 1 year ago

Step 1: Export/Import of root/intermediate signing certificate

1. Configure then export the root/intermediate signing certificate from AWS IoT

2. Import the certificate using the Cumulocity IoT Device Management Application under "Trusted Certificates". Enable auto-registration of devices.

I don't think that it's possible to do in AWS IoT. The certificate used for signing client certificates is not viewable anywhere, as far as I know, and is used only for verifying the identity of clients connecting to AWS IoT core itself, so while it could be useful if AWS IoT support ever gets merged, it wouldn't be of any use to Cumulocity.

Similarly with AWS Private CA, the pricing is high, and it's another thing entirely, so I expect this also won't be a good fit for Cumulocity, because instead of just one intermediate CA per tenant that we can import client side, this is just one Root CA that we would have either import globally into Cumulocity, or we would have to manually implement generating 1 intermediate cert per user and making it available for the user to import into their Cumulocity tenant??? Anyway this doesn't make use of AWS IoT at all.

So I would consider AWS dead end in that regard, and maybe look into Azure.

reubenmiller commented 1 year ago

However a “not feasible” is just as valuable from a POC. We’ll double check the work before we close the ticket just to be sure. But thanks for the effort :)

didier-wenzek commented 1 year ago

Following a discussion with @Bravo555 .

For this POC:

reubenmiller commented 8 months ago

Closing as the original scope of the POC has been fulfilled. The conclusion was that it is not possible to re-use the AWS certificate authority in Cumulocity IoT.

Useful aspects mentioned in this ticket, such as a cli command to create a CSR, will be configured in a new ticket.