ejdoh1/notes.sh

## notes.sh
#From https://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html

## Create a CA

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

## Register you CA with AWS IoT

### Get your registration code from: AWS Web Console > AWS IoT Core > Secure > CAs > Register > Register CA
openssl genrsa -out verificationCert.key 2048
### For Common Name, enter your registration code
openssl req -new -key verificationCert.key -out verificationCert.csr
openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
### on the 'Register CA' page, click 'Select CA certificate' and upload your rootCA.pem file
### on the 'Register CA' page, click 'Select verification certificate' and upload your verificationCert.pem file
### check the 'Activate CA certificate' box and select 'Register CA certificate'

## Create a device cert

openssl genrsa -out deviceCert.key 2048
openssl req -new -key deviceCert.key -out deviceCert.csr
openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

## Upload your device cert to AWS IoT
### Browse to AWS Web Console > AWS IoT Core > Secure > Certificates
### Select Create > Use my certificate > select your CA > Register certificates > select certificates and upload deviceCert.pem

## Attach your cert to a Thing and Policy
### Create a Thing without a cert & create a policy
### Browse to AWS Web Console > AWS IoT Core > Secure > Certificates
### Select the cert you just create (refresh and it should be the first one)
### Attach the cert to your Thing and policy

# Testing
## Download https://mqttfx.jensd.de/
## In MQTT.fx, select settings > + (lower left) to create a new profile
## Enter the details for broker addr, port (8883) and select SSL/TLS
## Select enable SSL/TLS
## Select the 'Self signed certificates' option
## For CA File, use AmazonRootCA1.pem from https://www.amazontrust.com/repository/AmazonRootCA1.pem
## For Client cert, use deviceCert.pem
## For Client key, use deviceCert.key
## Select 'PEM Formatted' and select Apply > OK
## Hit Connect
	#From https://docs.aws.amazon.com/iot/latest/developerguide/device-certs-your-own.html

	## Create a CA

	openssl genrsa -out rootCA.key 2048
	openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

	## Register you CA with AWS IoT

	### Get your registration code from: AWS Web Console > AWS IoT Core > Secure > CAs > Register > Register CA
	openssl genrsa -out verificationCert.key 2048
	### For Common Name, enter your registration code
	openssl req -new -key verificationCert.key -out verificationCert.csr
	openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256
	### on the 'Register CA' page, click 'Select CA certificate' and upload your rootCA.pem file
	### on the 'Register CA' page, click 'Select verification certificate' and upload your verificationCert.pem file
	### check the 'Activate CA certificate' box and select 'Register CA certificate'

	## Create a device cert

	openssl genrsa -out deviceCert.key 2048
	openssl req -new -key deviceCert.key -out deviceCert.csr
	openssl x509 -req -in deviceCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out deviceCert.pem -days 500 -sha256

	## Upload your device cert to AWS IoT
	### Browse to AWS Web Console > AWS IoT Core > Secure > Certificates
	### Select Create > Use my certificate > select your CA > Register certificates > select certificates and upload deviceCert.pem

	## Attach your cert to a Thing and Policy
	### Create a Thing without a cert & create a policy
	### Browse to AWS Web Console > AWS IoT Core > Secure > Certificates
	### Select the cert you just create (refresh and it should be the first one)
	### Attach the cert to your Thing and policy

	# Testing
	## Download https://mqttfx.jensd.de/
	## In MQTT.fx, select settings > + (lower left) to create a new profile
	## Enter the details for broker addr, port (8883) and select SSL/TLS
	## Select enable SSL/TLS
	## Select the 'Self signed certificates' option
	## For CA File, use AmazonRootCA1.pem from https://www.amazontrust.com/repository/AmazonRootCA1.pem
	## For Client cert, use deviceCert.pem
	## For Client key, use deviceCert.key
	## Select 'PEM Formatted' and select Apply > OK
	## Hit Connect