Getting AWS Root Certificates for IoT Core Thing
In AWS IoT Core I created a thing, created a Policy for the thing, created a Certificate for the thing and attached the Policy to the Certificate.
After that I downloaded the .crt and the .key files of the Certificate I verified if they match with the following command:
(openssl x509 -noout -modulus -in certificate.pem.crt | openssl md5 ; openssl rsa -noout -modulus -in private.pem.key | openssl md5) | uniq
and got a single hash back, which indicates that they match
(stdin)= 97c1a8816c35acbfgt04f325aeacae6
The only thing left was to find the Root CA that my thing Certificate was signed with.
I found the AWS developer guide for the server certs here and I downloaded the VeriSign Class 3 Public Primary G5 root CA certificate, which I renamed to rootCA.pem.
But when I ran a test to verify the CA with the following command:
openssl s_client -connect <my ID>.iot.ap-southeast-2.amazonaws.com:8443 /
-CAfile /etc/mosquitto/certs/rootCA.pem /
-cert /etc/mosquitto/certs/certificate.pem.crt /
-key /etc/mosquitto/certs/private.pem.key
I get this response with the error unable to get local issuer certificate (see below)
CONNECTED(00000003)
depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 ECC 256 bit SSL CA - G2
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com
i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDlTCCAzygAwIBAgIQGw ...
——END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2398 bytes and written 1448 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES256-GCM-SHA384
Session-ID: EB3B32C8 …
Session-ID-ctx:
Master-Key: 783A17EB6 …
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1587558792
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: yes
---
Does someone know how to get the Root CA for my thing Certificate?
Thanks
Edit:
Thanks to Ben T's advice I created a new thing in the Mumbai Region. Surprisingly I can see an option now to download the root certificate directly from the Certificate creation screen (see below)
After running openssl s_client -connect again with the new certs/key I finally get verify return:1.
AWESOME
The Verisign certificate is used for legacy endpoints.
You should use the newer certificates for the Amazon Trust Services endpoints. e.g. the one at https://www.amazontrust.com/repository/AmazonRootCA1.pem
All new AWS IoT Core regions, beginning with the May 9, 2018 launch of AWS IoT Core in the Asia Pacific (Mumbai) Region, serve only ATS certificates.