使用CA证书对设备公钥进行数字签名 [英] Digitally signing a device public key with CA certificate

问题描述

我正在尝试在Google Cloud IoT Core中注册IoT设备，但是在使用安装在Google Cloud(设备注册表)上的CA证书签署设备公钥时遇到问题.

I'm trying to register an IoT device with Google Cloud IoT Core, and I'm having issues signing the device public key with a CA certificate installed on Google Cloud (device registry).

以下是Google的要求:

Following are Google's requirements:

• CA和设备证书必须为X.509v3，以base64编码，并包装在----- BEGIN CERTIFICATE -----和----- END CERTIFICATE -----中.
• CA证书不需要自签名(根CA")；设备证书必须在注册表级别由特定的CA证书签名.
• 未由注册表级证书签名的设备公钥将被Cloud IoT Core拒绝.
• CA和设备证书必须为PEM格式

经过StackOverflow和其他地方的先前响应之后，这是我到目前为止尝试过的(使用默认配置文件):

After going through previous responses on StackOverflow and elsewhere, this is what I've tried so far (using default config file):

1. openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout ca.key -out ca.crt -subj"/CN =未使用"
2. openssl req -nodes -newkey rsa:2048 -days 365 -keyout device.key -out device.csr -subj"/CN =未使用"
3. openssl x509 -req -days 365 -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt

选项2

1. openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj"/CN =未使用"
2. openssl genrsa -out device.key 2048
3. openssl req -new -days 365 -key device.key -out device.csr -subj"/CN =未使用"
4. openssl x509 -req -days 365 -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt

在两种情况下都可以很好地创建证书，但是当我尝试使用此证书注册设备时，我收到一条错误消息，指出无法对照CA证书验证设备证书.

The certificates get created just fine in both cases, but when I try to register the device with this certificate, I get an error stating that the device certificate could not be verified against the CA certificate.

在签署设备证书时我在做什么错?您可以忽略Cloud IoT配置，因为我已经验证它可以工作(没有CA证书).

What am I doing wrong while signing the device certificate? You can ignore Cloud IoT configuration as I've verified it works (without CA certificate).

非常感谢！

推荐答案

感谢您的答复.我确实需要注册表证书，以确保未注册欺诈性设备.经过数小时的反复试验，当我指定一个有效的subj而不是"/CN = unused"时，它终于可以工作了.不幸的是，Google文档没有说明这可能是一个问题.不过，签名过程是正确的.

Thanks for the responses. I do need the registry certificate to ensure fraudulent devices are not registered. After hours of trial and error, it eventually worked when I specified a valid subj instead of "/CN=unused". Unfortunately, Google documentation didn't state that this might be a problem. The signing procedure was correct though.

这篇关于使用CA证书对设备公钥进行数字签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！