Best thing to do for that is read through the links on this page: https://freertos.org/iot-fleet-provisioning/index.html - there is a bit of set up to do but there are scripts provided to automate a lot of the device registration with AWS.
Any suggestion on how to use AWS IoT Fleet provisioning(CSR method) on ESP-32 chip
If any ready sample plz let me know.
Other than the examples in the AWS GitHub repo and FreeRTOS GitHub repo, we don’t have any other samples. You might get value out of the corePKCS11 porting guide, if you need to handle your device certificates.
for provisioning using CSR method,
what key has to be present in the device?
How to generate the key which has to embedded in the device?
What is the certificate to be uploaded during the selection of “Create CSR” on AWS while creating thing?
I have a fundamental doubt
difference between CreateKeysAndCertificate and CreateCertificateFromCsr?
Does CreateKeysAndCertificate also send the CA and device certificates to aws to get a permanent certificate for further use? Or it doesn’t need any certificates at all?
I can see examples and demo or CSR, are there any demo/example for CreateKeysAndCertificate method?
Please help me with this.
just like how we have demo for CSR “demos/fleet_provisioning/fleet_provisioning_with_csr”
Is there are reference demo for “CreateKeysAndCertificate”?
The Claim key is needed to connect to AWS IoT, but you can get it by simply generating any compatible keypair and using it in your requests. The Claim certificate and key pair you use are used to connect to the AWS IoT MQTT broker, which allows the demo to use the required endpoints (including CreateCertificateFromCsr) to execute its tasks.
The certificate used to initially connect to the AWS IoT MQTT broker should be your claim certificate, which is a device certificate you’ve pre-registered with AWS IoT.
The demo uses the claim key and claim certificate to connect to AWS IoT. Then, it generates a new keypair, then uses the new public key to create a Certificate Signing Request, which will get a new certificate from AWS IoT.
As for the difference between “CreateKeysAndCertificate” and “CreateCertificateFromCsr”, the CreateKeysAndCertificate endpoint will obtain both the private/public keypair and the certificate from AWS IoT, whereas CreateCertificateFromCsr will only obtain a certificate and does not generate a keypair. CreateKeysAndCertificate will also require the CA and device certificates to connect to AWS IoT.
We do not have a reference demo for CreateKeysAndCertificate - but you can read the AWS IoT API Reference for that endpoint.
do you have any document to show how to build the complete setup for fleet provisioning on ubuntu?
I have downloaded zip file of the 202108 archive.
https // github com/aws/aws-iot-device-sdk-embedded-C/releases/tag/202108.00
I follow the below steps
Added macros for the certificates, paths, urls, endpoints, topics.
venkatesh@ubuntu:~/aws-iot-device-sdk-embedded-C/demos/fleet_provisioning/fleet_provisioning_with_csr$ cmake -S . -Bbuild && cd build
venkatesh@ubuntu:~/aws-iot-device-sdk-embedded-C/demos/fleet_provisioning/fleet_provisioning_with_csr/build$ make
I get lots of link errors for wrt to mbedtls,
I go to mbedtls folder and execute the below
venkatesh@ubuntu:~/aws-iot-device-sdk-embedded-C/libraries/3rdparty/mbedtls$ cmake -S .
venkatesh@ubuntu:~/aws-iot-device-sdk-embedded-C/libraries/3rdparty/mbedtls$ make
I have build the tincbore, clock, aws-iot-device-sdk-embedded-C/platform/posix/transport
Added link_directories() path for
tinycbor
mbedtls
clock_posix
transport_mbedtls_pkcs11_posix
Got some errors so I went back to enable macros for MBEDTLS_THREADING_C, but landed up in many other errors too
- What all macros to be enabled to build the complete systems
- What are the files to be changed and what are the values to be changed?
- Which all directories or folders should I check and build?
Can you guide me in getting the demo work on ubuntu?
Ensure that your Ubuntu machine has OpenSSL of version 1.1.0 or later. After downloading the release and completing the required configuration steps, make sure that you’re running the cmake command in the root directory of the C-SDK.
cmake -S . -Bbuild -DAWS_IOT_ENDPOINT="<your-aws-iot-endpoint>" -DROOT_CA_CERT_PATH="<your-path-to-amazon-root-ca>" -DCLAIM_CERT_PATH="<your-claim-certificate-path>" -DCLAIM_PRIVATE_KEY_PATH="<your-claim-private-key-path>" -DPROVISIONING_TEMPLATE_NAME="<your-template-name>" -DDEVICE_SERIAL_NUMBER="<your-serial-number>"
You shouldn’t need to modify any files to get the demo working, although you can modify the macros in demo_config.h
if you wish.
With some path change and stuffs I could build the demo, Thanks
How to test this demo?
- What should I do on the AWS IOT CORE related to certificates?
- I used some command like this on terminal to create a car
openssl req -new -newkey rsa:2048 -nodes -out google_com.csr -keyout google_com.key -subj “/C=/ST=/L=/O=Spaceagelabs/OU=RD/CN=google_com” - I got the “.key” and “.csr” files.
- Am confused what should be used on device and what should be done on AWS IOT and IAM portal?
- Any steps or document which explains step by step procedures on creating Fleet provisioning setup on AWS portal to make this demo work?
Since now the build is done with dummy macro values related to
AWS_IOT_ENDPOINT, ROOT_CA_CERT_PATH, CLAIM_CERT_PATH, CLAIM_PRIVATE_KEY_PATH, PROVISIONING_TEMPLATE_NAME, DEVICE_SERIAL_NUMBER,I am struck in real values and how to generate them, what to be done on AWS IOT core and AWS IAM user.
Things are confusing when trying to proceed to certificate sections.
Can somebody guide me on what to be done on the AWS portal and on the device to test this car demo?
What certificates needed on device? and how do we get it?
What settings, roles, policy, certificates, templates to be set on AWS portal and how to do it?
You can follow the “Setting up AWS resources before running the demo” section on the FreeRTOS demo guide up until step 10. This will show you how to configure the AWS resources required to get the demo running. The certificate generated in step 8 should be on your device, as it is the Claim certificate which is used to provision a new Thing certificate. The comments for each of the macros should tell you what you need to put there.
Thanks guys, it worked for me with the demo
if I need to implement sample for CreateKeysAndCertificate,
- Do we have a fleet_provisioning_serializer.h/fleet_provisioning_serializer.c files and API’s related to it?
- In CSR demo main, we use “generateKeyAndCsr()” What is the alternate API call for CreateKeysAndCertificate method?
- Can you please let me know if test code or sample code available for CreateKeysAndCertificate demo?
The above will help me in creating a demo for “CreateKeysAndCertificate” on ubuntu.
We don’t have any sample code available which uses CreateKeysAndCertificate, but you can see the endpoint and documentation for the CreateKeysAndCertificate API in the AWS developer guide.
Hello, I have some questions about the fleet provisioning method with the CreateCertificateFromCsr API.
1-To generate the CSR is it necessary to generate a private key and a public key or can I do it only by generating a private key?
2- Once I obtain a certificate with the call to CreateCertificateFromCsr and activate it by calling RegisterThing, it disconnects from the TLS session and reconnects now with the obtained certificate, which private key must be used here, the one used to generate the CSR, or the one that was chosen along with the claim certificate?
I port the demo discussed here to an ESP32, I choose the certificate and activate it but I have problems when trying to authenticate with the certificates chosen by the provisioning I try to find out why.
Hello EmbeddedDBL, welcome to the forums,
-
A CSR requires a public key to be attached. The Fleet Provisioning demo will get the public key from the contents of the private key in order to make the CSR, but you’ll need access to the public key in some form.
-
In the demo, after the certificate is obtained, a new private key is generated and used to connect to AWS. You wouldn’t use your claim key (which is the key used to generate the CSR).
As for your last question, which policy is attached to your provisioned certificates? There might be an issue there.
Hi,
I managed to get CSR Demo application in the SDK build on my linux machine.
Now I am trying to port to cypress MCU which is RTOS based, I see POSIX based dependencies to be managed and pthread and mutex eat related errors. How do I manage it on my Non-AWS-FreeRTOS. I am using plan FreeRTOS which has nothing related to AWS yet.
Is there any other simpler way to port the mbedtls, pkcs11, tinycbor and fleet provisioning on my Cypress MCU FreeRtos based?