Overview - Gemalto M2M



Using CA Signed Certificates with AWS and Cinterion ModulesOverviewApplication developer generates its own CA and registers with AWS and use this CA to sign the client Certs for the Cinterion Modules.362624198291Client CAClient Cert1Client Cert nClient …00Client CAClient Cert1Client Cert nClient …References1) 2) 3) AWS IoT Feature “Just In Time Certificate Registration” ()Generate CA Certificate and CA Private Key:# create self-signed root CA with new keyopenssl req -new -x509 -days 3650 -nodes -newkey rsa:2048 -keyout myCA.key -out myCA.crt -subj "/C=DE/ST=Berlin/L=Berlin/O=Demo Organization Ltd./OU=Demo AE Department/CN=myCA admin/emailAddress=myCA@test."openssl x509 -in myCA.crt -out myCA.der -outform DERGenerate Client Certificate and Client Private Key:# create clientEP with new keyopenssl req -new -nodes -newkey rsa:2048 -keyout clientEP.key -out clientEP.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=Demo Organization Ltd./OU=Demo AE Department/CN=clientEP admin/emailAddress=clientEP@test. "# sign clientEP with clientCAopenssl x509 -req -CAkey myCA.key -CA myCA.crt -days 3650 -in clientEP.csr -out clientEP.crt -set_serial 25 -extfile fRegister CA Cert with AWS:To use your own X.509 certificates, you must register a CA certificate with AWS IoT. You must prove you own the private key associated with the CA certificate by creating a private key verification certificate. The CA certificate can then be used to sign device certificates. You can register up to 10 CA certificates with the same subject field and public key per AWS account. This allows you to have more than one CA sign your device certificates.Step 1: Generate a key pair for the private key verification certificateopenssl genrsa -out verificationCert.key 2048Step 2: Copy this registration code2d1c8af7e0b8b42a8141c82d59878a21882f02a9b6cacb70d5150ff3a52332bbStep 3: Create a CSR with this registration codeopenssl req -new -key verificationCert.key -out verificationCert.csrPut the registration code in the Common Name fieldCountry Name (2 letter code) [AU]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (e.g. server FQDN or YOUR name) []: 2d1c8af7e0b8b42a8141c82d59878a21882f02a9b6cacb70d5150ff3a52332bbEmail Address []:Step 4: Use the CSR that was signed with the CA private key to create a private key verification certificateopenssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256Step 5: Upload the CA certificate (rootCA.pem)Step 6: Upload the verification certificate (verificationCert.crt)Install the Client Certificates and CA Certificate on the Cinterion Module # create jseccmd: DelAllCertificatesjava -jar jseccmd.jar -cmd DelAllHttpsCertificatesUntrusted > DelAllHttpsCertificatesUntrusted.txt# create jseccmd: HttpsVerifyOnUntrustedjava -jar jseccmd.jar -cmd HttpsVerifyOnUntrusted > HttpsVerifyOnUntrusted.txt# create jseccmd: AddHttpsCertificateUntrustedjava -jar jseccmd.jar -cmd AddHttpsCertificateUntrusted -filename ./myCA.der > AddHttpsCertificateUntrusted.bin# create jseccmd: AddHttpsClientCertificateUntrustedjava -jar jseccmd.jar -cmd AddHttpsClientCertificateUntrusted -filename ./clientEP.crt -keyfilename ./clientEP.key > AddHttpsClientCertificateUntrusted.binInstall “AddHttpsCertificateUntrusted.bin” and “AddHttpsClientCertificateUntrusted.bin” using AT^SJMSEC command.Sample Certs generated and test with AWS and Cinterion Module EHS6EHS6 Concept Board Information:ati1CinterionEHS6REVISION 03.001A-REVISION 00.000.51 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download