Connecting ESP32 with AWS IoT Core using MQTT

[nickthiru]

Hello,

I am trying to connect an ESP32 with AWS IoT Core.

It is my understanding that to connect successfully with AWS IoT Core and, specifically, to the MQTT Broker, I will need to use an MQTT client, a secure communication using TLS 1.2, and provision for (e.g. via AWS IoT Core Console) and use a X.509 root CA certificate, a device certificate, and a private key, all with the necessary AWS IoT policies set. My doubts revolve around where and how to set the two certificates and private key.

Based on the information presented in chapter 3 (Networking) of the "IoT Development for ESP32 and ESP8266 with JavaScript" book, I believe that the root CA certificate needs to be linked by adding it to the resources property in the manifest.json string.

With regards to the device certificate, would that be considered a private certificate? If so, do I follow the instructions in the "Private Certificates" section of the same chapter? Meaning, 1) I should add the device certificate to the resources property of the manifest.json string, 2) create a Resource object in the main program, passing the name of the resource file to the Resource constructor, and 3) setting the secure property on the connection object that is passed to the MQTT constructor.

Finally, do I add the private key in the same manner as the device certificate (as assumed above)? If so, how would I specify the private key resource in the secure property object of the connection object that is passed to the MQTT constructor? In the book's example, only one certificate is attached:

Thank you for you kind assistance.

[phoddie]

It is has been a little while since I've brought-up an AWS client. The configuration is complex because you need both the AWS site certificate and the client certificate pieces. Here's an example of making a secure MQTT connection to AWS with a device key & certificate.

new MQTT({
	host,
	id,
	port: 8883,
	Socket: SecureSocket,
	secure: {
		cache: false,
		protocolVersion: 0x303,
		certificate: new Resource("AmazonRootCA1.der"),
		clientKey: new Resource("device.key.der"),
		clientCertificates: [new Resource("device.crt.a.der"), new Resource("device.crt.b.der")],
		verify: true,
		trace: true
	},
});

Note: This example shows two client certificates for completeness. However, in most situations you will have one.

Note: all the certificates and keys need ot be in DER format. If you have them in PEM format, they need to be converted to DER. That can be done with openssl. (The Moddable SDK contains a function to convert PEM to DER but an off-line conversion is preferred whenever possible).

[nickthiru]

Noted. Thanks.

[phoddie]

I took a little time today to update the SecureSocket documentation:

• New section on secure MQTT connections. That includes the applicationLayerProtocolNegotiation property which I seem to remember is sometimes required for AWS IoT.
• Added the clientCertificates and clientKey properties to the constructor dictionary table
• Added section on converting PEM to DER

Even if you don't need this information now, it is good to finally have it written down for others in the future.

[nickthiru]

Awesome! Thank you; greatly appreciated.

I will doing additional research on this very soon, but I just wanted to get your thoughts/approach on the best way to store the certificates and, especially, the private key, in a production environment. A lot of the examples out there, especially in the courses I have been taking, have the certificates and private key in plain text, in the main program. I think I read that the certificates and private key need to be in the same directory as the "manifest.json" file (is this necessary, or can I specify the relative path when calling the Resource constructor?), but should they be stored in some sort of encrypted format? If so, may I know how something like that would work (any resources you can point me to for research would be very welcome :-))?

[phoddie]

Good question. There are options depending on the requirements. It is kind of a different topic. Would you mind opening a new discussion for that to help keep thing organized here?

[nickthiru]

Good idea. Will do, thank you.