Cinterion modules AWS certificate | Telit Cinterion IoT Developer Community
June 5, 2023 - 7:12pm, 383 views
Hello, good morning!
I have a question about the certification of the TX-62 modules for connecting to AWS MQTT. I was informed that the modules already have the certificate preloaded from the factory, but I couldn't get them to connect to AWS initially. I had to use the tools from DocId: exs62-w_exs82-w_tx62-w_tx62-w-b_tx82-w_an62_tls_v07 to write the server certificate and the client certificate.
I would like to understand better what is the correct way to write these certificates. Do the modules really come from the factory ready to use with AWS? Do I have to write the certificates using "cmd_ipCertMgr.jar"? What certificates are necessary to connect the TX-62 to AWS MQTT?
Thank you!
Hello,
The modules have the set of preconfigured certificates which includes the individual client certificate and a bunch of root CAs. You can read it with AT^SBNR="preconfig_cert"
To use these certs for internet services like MQTT you need to copy the necessary ones or all to "is_cert" storage.
With AT^SSECUA="CertStore/TLS/PreconfigureCerts" you can initialize the "is_cert" storage with all the preconfigured certificate but only when "is_cert" is empty.
With AT^SSECUA="CertStore/TLS/PreconfigureCert",,<index> you can load the single certificate specified by <index>.
When the client and necessary root CA certificate is loaded to "is_cert" you can use it with MQTT but it does not yet mean that you can connect to any AWS server. Your client certificate has to be provided to your AWS account. This part you need to do by yourself.
We also have the service - IoT Suite - that can make it easier. If you use this service and have the modules already provisioned to it, you then need to configure the connector to your AWS IoT Hub and then you can easily select the modules for automatic enrolment to your AWS cloud.
Best regards,
Bartłomiej
Hi Bartłomiej,
Thank you about the answer!
Another question, how can I "download" the client_cert that is factory registered in my module, to write this certificate in the AWS cloud?
I can read the preconfigCerts, and I know that the certificate index 0 is the client. But how can I download it to put on AWS?
^SBNR: 0, size: "2828", issuer: "/CN=Thales IoT ECC CA", serial number: "*************", subject: "/CN=BYD_L30960N6300A100_00001_9997f035-9cf8-4c80-b784-8aaf3f7a6c49_****", signature: "sha256ECDSA", thumbprint algorithm: "sha1", thumbprint: "D6F053BAB9DEE2*************xxx", expiry date: "2036,3,12"
^SBNR: 1, size: "941", issuer: "/C=GB/ST=Hampshire/L=Fareham/O=Multos Ltd/OU=Key Management Centre/CN=IoT.root.ecc.stepnexus.com/emailAddress=services@stepnexus.com", serial number: "100900", subject: "/C=GB/ST=Hampshire/L=Fareham/O=Multos Ltd/OU=Key Management Centre/CN=IoT.root.ecc.stepnexus.com/emailAddress=services@stepnexus.com", signature: "sha256ECDSA", thumbprint algorithm: "sha1", thumbprint: "F7A080BAFC86C6C31730CBFEC46B8D67B7C73511", expiry date: "2043,3,26"
^SBNR: 2, size: "0", issuer: "", serial number: "", subject: "", signature: "", thumbprint algorithm: "", thumbprint: "", expiry date: ""
^SBNR: 3, size: "947", issuer: "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA", serial number: "083BE056904246B1A1756AC95991C74A", subject: "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA", signature: "sha1RSA", thumbprint algorithm: "sha1", thumbprint: "A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436", expiry date: "2031,11,10"
Hello!
As Bartek is out of office and will be back on Monday I quickly took over.
Just not you leave you hanging according to my best knowledge there's no way to download it.
I never encountered that any of our clients needed the factory client_cert to work with AWS.
Unfortunately I'm no expert in cloud and security certificates and Bartek is way more expirienced on the topic. He will revise your issue in the following week once again and give you his opinion.
Regards,
Lukasz, Support Line
Hello,
Thank you Lukasz!
My doubt is, as Bartolomeu mentioned, I have to register my client certificate in my AWS account:
"Your client certificate has to be provided to your AWS account. This part you need to do by yourself."
How can I do that? I heard about the IoT Suite platform, but without using the platform, is there another way? I can read the client certificate using the command AT^SBNR="preconfig_cert",1, but how can I upload it to AWS?
And using the IoT Suite, how do I input the module information into it?
Thanks!
Hello,
To use IoT Suite you have to be the registered user. In general this is a paid service but there are also some free test options. But you would have to contact your Cinterion sales contact for details.
IoT Suite only ***** the module IMEI (you need to register your modules with IMEIs to be able to use them with IoT Suite). It already has access to the issued certificates database (certificates are dedicated to IMEIs) and can register your modules automatically.
Indeed you should not be able to copy the private key of your certificate from the module. But it is possible to read certificates (public keys).
I'm not AWS expert but I believe that it should be possible to register the module by just providing the data that you can display with AT^SBNR="is_cert" like the thumbprint or serial number.
BR,
Bartłomiej