AWS IoT which files to use after generating ?

[shirish47]

I have generated certificates and updated in IoT Console but I am not sure which files to use with esp32 in its example publish_subscribe.

I am trying to learn to use Own CA certificate with AWS IoT.
also the files I generated have different extensions than one used by example (.pem .pem.crt, and .key). old folder contains file generated from the Console itself. Please guide me how does it need any other format.

Please please please I have posted it on forum also I am looking for some answer.

[vareddy-zz]

Hi @shirish47 ,
Are you creating and using self signed certs (using this procedure: http://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html)?
If you followed the guide linked above, you will use your rootCA.pem (generated CA certificate), deviceCert.crt and deviceCert.key (device cert and key generated using the above CA certificate) to connect to AWS IoT.
Thank you for your interest in AWS IoT! Please let us know if you have any more questions.
Varun

[shirish47]

Yes I am using that guide but for example in esp32 idf extensions of files is different. check in the Readme Section Installing private key & certificate

[shirish47]

https://www.esp32.com/viewtopic.php?f=2&t=3832&p=17463#p17463 as per this ESP_agus suggested me to use AWS rootCA cert as rootCa generated by me following those instruction would not work. Well I did registered that CA in AWS IoT. but it does not work as I have put in that forum. nor the one that I got from AWS worked with the deviceCert obviously as they are not signed but rootCA.pem provided from AWS. but AWS IoT only gives rootCA.pem file and not key which I think is required during generation of device Cert.

[vareddy-zz]

Hi @shirish47 ,
What they have said in the forum is correct. You have to use the aws-root-ca.pem to connect but use your device cert and key that you have generated with your custom root ca. I didn't explain that correctly in the previous comment, my apologies. If you have registered your custom root CA and device certs with AWS IoT, it should allow you to connect.
So, to make things clearer, use:

• aws-root-ca.pem (provided by AWS)
• deviceCert.crt (generated using custom CA cert)
• deviceCert.key (generated using custom CA cert)

The error (0x2700) that you are seeing in the forum post implies that the root CA is incorrect. Could you make sure that the aws-root-ca.pem that you are using was obtained from here?
Thanks!
Varun

[shirish47]

Hi so I used the CA from the link you provided and I get

I (3682) event: ip: 192.168.1.109, mask: 255.255.255.0, gw: 192.168.1.1
I (3682) subpub: Connecting to AWS...
E (8452) aws_iot: failed! mbedtls_ssl_handshake returned -0x50
E (8452) subpub: Error(-4) connecting to XXXXXXXXX.ap-southeast-1.amazonaws.com:8883

I tried finding file that could give me all macro of mbedtls_ssl_handshake errors but did not find -0x50

[shirish47]

though there is one notable difference in commands, here it says
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256

while in instruction that are shown in AWS IoT Console Register a CA certificate
command is
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256

and thus for generating device certificate according to here
with this command I get
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

and renaming those file worked.
those extensions confuse a lot even amazon documents differ.
thanks Varun. 👍

[shirish47]

for some one who might get in trouble like me.
follow the instructions.
https://github.com/shirish47/AWS-IoT-ESP32-Configuration-details/tree/master

I would soon make a script for ease. I found one and I will modify it.

[vareddy-zz]

Hi @shirish47 ,
Great! I'll close this issue. Please open another issue if you have any more questions.
Thanks!
Varun