According to this docs I need to generate so-called bootstrap certificates for my IoT devices. I assumed that for bootstrap certificates generation CA certificate will be downloaded via AWS SDK and used to generate bootstrap certificate.
I can't find any more or less sane example of how this can be done with java AWS SDK. Can anyone give a code example of how I can do it? Thanks in advance.
I found the solution. AWS bootstrap certificate is a certificate signed by a CA certificate registered in AWS IoT. See workflow here. To implement this in java I used Bouncy Castle library. First, download the CA certificate and CA certificate private key. And generate KeyPair for your bootstrap certificate:
KeyPairGenerator keypairGen = KeyPairGenerator.getInstance("RSA");
keypairGen.initialize(2048, random);
KeyPair keypair = keypairGen.generateKeyPair();
PublicKey publicKey = keypair.getPublic();
Convert CA certificate and CA private key to X509Certificate and PrivateKey objects with Bouncy Castle library (see in book with examples). Generate certificate:
public X509Certificate makeV3Certificate(
X509Certificate caCertificate,
PrivateKey caPrivateKey,
PublicKey publicKey)
throws GeneralSecurityException, CertIOException, OperatorCreationException {
X509v3CertificateBuilder v3CertBuilder = new JcaX509v3CertificateBuilder(
caCertificate.getSubjectX500Principal(), // issuer
BigInteger.valueOf(System.currentTimeMillis()) // serial number
.multiply(BigInteger.valueOf(10)),
new Date(System.currentTimeMillis() - 1000 * 5), // start time
new Date(System.currentTimeMillis() + 1000 * 3600 * 3), // expiry time
new X500Principal(String.format("CN=%s", "desirable Common Name")), // subject
publicKey); // subject public key
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
v3CertBuilder.addExtension(
Extension.subjectKeyIdentifier,
false,
extUtils.createSubjectKeyIdentifier(publicKey));
v3CertBuilder.addExtension(
Extension.authorityKeyIdentifier,
false,
extUtils.createAuthorityKeyIdentifier(caCertificate));
v3CertBuilder.addExtension(
Extension.basicConstraints,
true,
new BasicConstraints(false));
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256withRSA");
return new JcaX509CertificateConverter().getCertificate(v3CertBuilder.build(signerBuilder.build(caPrivateKey)));
}
Convert certificate to pem format with Bouncy Castle library, attach CA certificate to the pem file. Also, convert bootstrap certificate private key (get from key pair) to pem format. That is all. You can connect your device via mqtt with this CA signed certificate and with private key to AWS IoT.