Creating self signed certificates for Raspberry Pi Pico with MQTT

162 views Asked by At

I am trying to create my own CA cert and a certificate to use with AWS IoT. I have a Raspberry Pi pico w with a BME680 sensor and want to use MQTT to send the data to AWS Timestream. I managed to make the connection happen with AWS generated certificates, so the root CA from AWS and a generated certificate through the console.

Now I would want to use Terraform and register a self signed certificate and CA and use these ones to have my own security and authentication of my things. It works with MQTTx client but when ran on my Pi, I get a OSError -9984 'MBEDTLS_ERR_X509_CERT_VERIFY_FAILED

Anyone has tested and made that work with their own certificates?

Using

openssl genrsa -aes256 -out ca.key 2048
openssl req -new -subj "/C=CA/O=iot/CN=ca.iot.com" -x509 -sha256 -days 365 -extensions v3_ca -nodes -key ca.key -out ca.crt

openssl genrsa -aes256 -out thing1.key 2048
openssl rsa -in thing1.key -out thing1.key.pem
openssl req -new -nodes -subj "/C=CA/O=iot/CN=picow-bme680.iot.com" -key thing1.key -sha256 -out thing1.csr
# Validate CSR
openssl x509 -req -days 365 -sha256 -in thing1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out thing1.crt

Trying to test connectivity with TLS with that micro python code

import ssl, socket, ubinascii


KEY_PATH = "certs/thing1.key.pem"
CERT_PATH = "certs/thing1.crt"
#CA_PATH = "certs/AmazonRootCA1.pem"
CA_PATH = "certs/ca.crt"
HOST, PORT = "iot.amazonaws.com", 8883

def read_pem(file):
    print(f"Reading : {file}")
    with open(file, "r") as input:
        text = input.read().strip()
        split_text = text.split("\n")
        base64_text = "".join(split_text[1:-1])
        return ubinascii.a2b_base64(base64_text)
    
key1 = read_pem(KEY_PATH)
cert1 = read_pem(CERT_PATH)
ca = read_pem(CA_PATH)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
addr = socket.getaddrinfo(HOST, PORT)[0][-1]
print(addr)
s.connect(addr)
print(s)
sock = ssl.wrap_socket(s, server_side=False, key=key1, cert=cert1, cert_reqs=ssl.CERT_REQUIRED, cadata=ca, server_hostname=HOST)
print (sock)
print("Finished")
0

There are 0 answers