amazon-web-servicesopensslcertificateiotaws-iot

The CA certificate does not have the basicConstraints extension as true


I am following this AWS guide on creating self-signed certificates. But after creating my CA, I try to upload it to AWS IOT, I get this error:

Command:

aws iot register-ca-certificate --ca-certificate file://CA_cert.pem --verification-cert file://verificationCert.crt

Error:

An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true


Solution

  • I have also used AWS IoT and suffered same error, and I found the solution.

    Reason of the error

    The error occurs because basicConstraints extension in the CA certificate, which means that the certificate is CA so this certificate is able to sign other public keys to generate client certificates, is not set to TRUE.

    Note that a client X's certificate contains X's public key signed by CA's private key. Other clients, for example Y, can verify the X's public key using CA's public key.

    I think you had the error when you tried to generate CA certificate. The error message indicates that the CA's certificate is not allowed to sign other client public keys.

    Below are how I did.

    Solution

    I assume that you already generate CA's key, rootCA.key.

    We need a openssl config file, say rootCA_openssl.conf. Note that you can modify the values.

    [ req ]
    distinguished_name       = req_distinguished_name
    extensions               = v3_ca
    req_extensions           = v3_ca
    
    [ v3_ca ]
    basicConstraints         = CA:TRUE
    
    [ req_distinguished_name ]
    countryName              = Country Name (2 letter code)
    countryName_default      = KR
    countryName_min          = 2
    countryName_max          = 2
    organizationName         = Organization Name (eg, company)
    organizationName_default = Deeply Inc.
    

    Then generate CA's certificate using the config file, rootCA_openssl.conf.

    openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr -config rootCA_openssl.conf
    openssl x509 -req -days 3650 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem 
    

    Now we have CA's certificate, rootCA.pem. Then you can follow the instructions in the AWS IoT documentation. For example:

    # Get the registration code for the use below: 
    # $ aws iot get-registration-code 
    
    openssl genrsa -out verificationCert.key 2048
    
    openssl req -new -key verificationCert.key -out verificationCert.csr
    # Put the registration code in Common Name field
    
    openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256