Skip to content

Latest commit

 

History

History
88 lines (62 loc) · 4.47 KB

README.md

File metadata and controls

88 lines (62 loc) · 4.47 KB

awsiot

This is a basic pub/sub application to test the AWS IoT Core services.

Registering a device in the registry

Once you have access to AWS IoT Console, you have to register your devices, in order to enable communications between devices and AWS IoT Core.

To register your device, in the IoT Console, do:

  1. Click "Manage", in the left column, and select "Things";
  2. Click "Register a thing" in the page that appears;
  3. Click "Create a single thing" (if you need to create many things, you click "Create many things");
  4. Now you have to type the device name in the "Name" field;
  5. You can create a device type and apply it to this thing (device), in the "Thing Type" field;
  6. You can also create a group and apply this thing (device) to the created group, in the "Thing Group" field;
  7. Click "Next" to add your thing (device) to the registry.

Creating and activating a device certificate

All devices must be identified in the AWS IoT Core service through X509 certificates. This allows the establishment of a protected communication.

You can use a certificate generated by AWS IoT or you can use your own certificate. To this, follow the next steps:

  1. In the "Create a certificate" page, choose "Create a certificate";
  2. Download the certificate, the private key and the root CA for AWS IoT;
  3. Click "Activate";
  4. Back to the main AWS IoT console page.

If you want to use your own certificate, as a self-signed certificate (described below), you should click "Get started" in the "Use my certificate" row instead of clicking in the "Create certificate". After clicking "Get started", do:

  1. To create a CA certificate, do:

    openssl genrsa -out rootCA.key 2048     
    openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem
    
  2. In the "Select a CA" page, click the "Register CA" button;

  3. You will see the next steps in order to generate a self-signed verification certificate:
    3.1. Generate an RSA private key with the following command:

    openssl genrsa -out verificationCert.key 2048
    

    3.2. You have to copy the registration code showed in the "Step 2", in the page; 2.3. Create a Certificate Signing Request (CSR) with the copied registration code as the "Common Name":

    openssl req -new -key verificationCert.key -out verificationCert.csr
    
    Country Name (2 letter code) [AU]:    
    State or Province Name (full name) [Some-State]:    
    Locality Name (eg, city) []:    
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:    
    Organizational Unit Name (eg, section) []:    
    Common Name (e.g. server FQDN or YOUR name) []: "Registration Code Here!"    
    Email Address []:    
    

    3.3. Create a verification certificate using the CSR and the CA private key:

    openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 365 -sha256
    
  4. Upload your CA certificate (rootCA.pem) in the "Select CA certificate" button;

  5. Upload your verification certificate (verificationCert.crt) in the "Select verification certificate" button.

  6. Click the "Activate CA certificate" checkbox;

  7. Click the "Register CA certificate" button;

  8. Now, you can see the registered CA certificate in a list. Select it and click "Next";

  9. Click on "Select certificates" and choose your certificate file to upload (deviceCert.pem generated as described below). To create your device certificate, use the following commands:

    openssl genrsa -out deviceCert.key 2048   
    openssl req -new -key deviceCert.key -out deviceCert.csr    
    openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256   
    
  10. In the "Existing certificates" list, choose the uploaded certificate and click "Next";

  11. Create a policy with the following permissions:

    {    
      "Version": "2012-10-17",    
      "Statement": [    
        {    
          "Effect": "Allow",   
          "Action": "iot:*",   
          "Resource": "*"    
        }   
      ]    
    }  
    
  12. Select this policy and click the "Register Thing" button.

Once your thing (device) is registered and associated to a certificate with policies, you have to get the Verisign root CA Server in order to authenticate connections to AWS IoT:

curl https://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Certification-Authority-G5.pem > iotRootCA.pem