编辑：

Question

在 AWS IoT Core 中，我创建了一个事物，为此事物创建了一个政策，并创建了一个证书并将其附加到证书上。

之后，我下载了 .crt 和 .key 文件我验证的证书是否与以下命令匹配：

(openssl x509 -noout -modulus -in certificate.pem.crt | openssl md5 ; openssl rsa -noout -modulus -in private.pem.key | openssl md5) | uniq

并返回一个哈希值，表明它们匹配

(stdin)= 97c1a8816c35acbfgt04f325aeacae6

剩下的唯一一件事就是找到与我的事物证书签署的根CA 。

我找到了针对服务器证书here的AWS开发人员指南，并下载了 VeriSign Class 3公共主G5根CA证书，我将其重命名为 rootCA.pem < / strong>。

但是当我运行测试以使用以下命令验证CA时：

openssl s_client -connect <my ID>.iot.ap-southeast-2.amazonaws.com:8443 / -CAfile /etc/mosquitto/certs/rootCA.pem / -cert /etc/mosquitto/certs/certificate.pem.crt / -key /etc/mosquitto/certs/private.pem.key

我收到此回复，错误为无法获得本地发行者证书（请参见下文）

CONNECTED(00000003) depth=1 C = US, O = Symantec Corporation, OU = Symantec Trust Network, CN = Symantec Class 3 ECC 256 bit SSL CA - G2 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 --- Server certificate -----BEGIN CERTIFICATE----- MIIDlTCCAzygAwIBAgIQGw ... ——END CERTIFICATE----- subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com, Inc./CN=*.iot.ap-southeast-2.amazonaws.com issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2 --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2398 bytes and written 1448 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 Session-ID: EB3B32C8 … Session-ID-ctx: Master-Key: 783A17EB6 … PSK identity: None PSK identity hint: None SRP username: None Start Time: 1587558792 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes ---

有人知道如何获取我的事物证书的根CA 吗？

谢谢

编辑：

感谢Ben T's的建议，我在孟买地区创建了一个新的事物。出乎意料的是，我现在可以看到一个选项，可以直接从“证书创建”屏幕中下载根证书（请参见下文）

使用新的证书/密钥再次运行openssl s_client -connect之后，我终于得到了verify return:1。

真棒

Answer 1

Verisign证书用于旧式端点。

您应将较新的证书用于Amazon Trust Services终端节点。例如https://www.amazontrust.com/repository/AmazonRootCA1.pem

的那个

请参见https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs

从2018年5月9日在亚太地区（孟买）地区推出AWS IoT Core以来，所有新的AWS IoT Core地区都仅提供ATS证书。

获取IoT核心事物的AWS根证书

编辑：

1 个答案: