Commit 9dd65f02 authored by Vladimir Kiryakov's avatar Vladimir Kiryakov
Browse files

Added AWS JITP configuration guide

parent 33684470
AWS JITP Configuration
======================
To create thing automatically `Just-in-Time Provisioning <https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/>`__ should be configured.
- Create Verification certificate.
.. code:: bash
# get REGISTRATION CODE
aws iot get-registration-code
openssl ecparam -genkey -name prime256v1 -out CACertificate_ECC.key
openssl req -x509 -new -nodes -key CACertificate_ECC.key -sha256 -days 3650 -out CACertificate_ECC.crt
openssl ecparam -genkey -name prime256v1 -out VerificationKeys.key
openssl req -new -key VerificationKeys.key -subj "/CN=REGISTRATION CODE" -out VerificationCSR.pem
openssl x509 -req -in VerificationCSR.pem -CA CACertificate_ECC.crt -CAkey CACertificate_ECC.key -CAcreateserial -out Verificationcertificate.crt -days 3650 -sha256
- Register & Activate CA certificate and enable auto-registration
.. code:: bash
aws iot register-ca-certificate --ca-certificate file://CACertificate_ECC.crt --verification-cert file://Verificationcertificate.crt
aws iot describe-ca-certificate --certificate-id <cert id>
aws iot update-ca-certificate --certificate-id <cert id> --new-status ACTIVE
aws iot update-ca-certificate --certificate-id <cert id> --registration-config file://registration_config.json
aws iot update-ca-certificate --certificate-id <cert id> --new-auto-registration-status ENABLE
See more about `JITP template <https://docs.aws.amazon.com/iot/latest/developerguide/jit-provisioning.html/>`__
Create IoT device credentials for JITP
======================================
.. code:: bash
openssl ecparam -genkey -name prime256v1 -out deviceKey.key
openssl req -new -key deviceKey.key -out deviceCsr.csr -subj "/CN=<DEVICE_NAME>"
openssl x509 -req -days 3650 -in deviceCsr.csr -CAcreateserial -CA CACertificate_ECC.crt -CAkey CACertificate_ECC.key -out deviceCert.crt
cat deviceCert.crt CACertificate_ECC.crt > CAandIoTcert.pem
- Set private key to A71CH and retrieve reference key (contact information for openssl engine how to find key in HSM)
.. code:: bash
./a71chConfig_i2c_imx debug reset
./a71chConfig_i2c_imx set pair -x 0 -k deviceKey.key
./a71chConfig_i2c_imx info pair
./a71chConfig_i2c_imx refpem -c 10 -x 0 -r deviceRefKey.ref_key
- Verify SSL connection.
.. code:: bash
export JRCP_HOSTNAME=<host>
export JRCP_PORT=<port>
export OPENSSL_CONF=<path>
openssl s_client -connect <custom_endpoint>.iot.<region>.amazonaws.com:8443 -CAfile rootCA.pem -cert CAandIoTcert.pem -key deviceRefKey.ref_key
- Publish message to MQTT and check that new Thing with certificate is registered.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment