Just-in-Time Registration with AWS IoT core

Just-in-Time Registration (JITR) can be used to activate device certificates and attach policies to the certificates immediately after the device is auto-registered. This allows device certificates generated by a certificate authority (CA) other than AWS to automatically register the device certificate once registered allowing customer devices to autoregister and attain the required permissions and policies on first use of the IoT device with the device certificate.

Due to JITR, When you connect to AWS IoT with the device certificate for the first time. It will detect the unknown certificate signed by a registered CA and will auto-register the certificate.

Below is the Flow as to how JITR Works

1. Connect to IoT
2. Register CA Certificate with AWS IoT (Certificate Status at this stage: PENDING_ACTIVATE)
3. Enable auto-registration of certificates.
4. Sign the device certificate with the registered CA Certificate
5. Send MQTT Event
6. Set up a Rule on MQTT to trigger a lambda function to attach policies, create and attach thing & activate the certificate
7. Connect to AWS IoT using the device certificate.

In order to enable JITR & enable auto-registration with a sample certificate,

1.Register your CA Certificate

openssl genrsa -out sampleCACertificate.key 2048
openssl req -x509 -new -nodes -key sampleCACertificate.key -sha256 -days 365 -out sampleCACertificate.pem

2. Get AWS IoT Registration code

aws iot get-registration-code

3. Create a private verification CSR

openssl genrsa -out privateKeyVerification.key 2048
openssl req -new -key privateKeyVerification.key -out privateKeyVerification.csr

Enter the registration code acquired from the previous step in the Common Name field

Common Name (e.g. server FQDN or YOUR name) []: REGISTRATIONCODEFROMSTEP2

For Mac users in case of errors replace the system OpenSSL by upgrading OpenSSL using the below commands

brew install openssl
brew upgrade openssl@1.1
brew link --force openssl

4. Use the sample certificate and the verification CSR to create a new certificate that includes the registration code

openssl x509 -req -in privateKeyVerification.csr -CA sampleCACertificate.pem -CAkey sampleCACertificate.key -CAcreateserial -out privateKeyVerification.crt -days 365 -sha256

5. Use the sample CA certificate with the verification certificate to register the CA Certificate to AWS IoT using AWS CLI

aws iot register-ca-certificate --ca-certificate file://sampleCACertificate.pem --verification-certificate file://privateKeyVerification.crt

New certificates are registered with ‘INACTIVE’ state which can be verified using

aws iot describe-ca-certificate --certificate-id <certificateId>

6. To update the status to Active

aws iot update-ca-certificate --certificate-id <certificateId> --new-status ACTIVE

On updating the CA certificate status the CA can be viewed in the AWS IoT console

7. By default, Auto Registration is disabled to enable it & to allow JITR

aws iot update-ca-certificate --certificate-id <caCertificateId> --new-auto-registration-status ENABLE

On enabling auto-registration, it can be toggled in the AWS console or the above command can be used to disable the status

Using the above created CA certificate we can sign a device certificate to allow auto-registration for IoT devices using MQTT Events Rule with a lambda function to assign the required policies to the device certificate.

When AWS IoT auto-registers a certificate or when a certificate in PENDING_ACTIVATION status connects, it publishes a message to the following MQTT topic:

$aws/events/certificates/registered/<caCertificateID>

8. Create a Lambda Function 

• Set the Runtime as NodeJs with the following code
• Edit the code with the region you will be running the example
• Update the Lambda Function’s Role Policy Document to

• {  
     "Version":"2012-10-17",
     "Statement":[  
        {  
           "Effect":"Allow",
           "Action":[  
              "logs:CreateLogGroup",
              "logs:CreateLogStream",
              "logs:PutLogEvents"
           ],
           "Resource":"arn:aws:logs:*:*:*"
        },
        {  
           "Effect":"Allow",
           "Action":[  
              "iot:UpdateCertificate",
              "iot:CreatePolicy",
              "iot:AttachPrincipalPolicy"
           ],
           "Resource":"*"
        }
     ]
  }

• select Allow & Create Function

9. Create a Lambda Rule

• In AWS IoT Console, Select Create a resource.
• Select Create a rule.
• Type a name and description for the rule.
• Enter the following settings for the rule:
  SQL version: 2016-03-23
  Attribute: *
  Topic filter: $aws/events/certificates/registered/<caCertificateID> Note: Replace <caCertificateId> with the ID of the registered CA certificate.
• For Choose an action, select Insert this message into a code function and execute it (AWS Lambda).
• From Function name, choose your AWS Lambda function name, and then choose Add action.
• Select Create to create your AWS Lambda function.

10. Create a sample Device certificate linked with the sampleCACertificate created earlier

openssl genrsa -out deviceCert.key 2048
openssl req -new -key deviceCert.key -out deviceCert.csr
openssl x509 -req -in deviceCert.csr -CA sampleCACertificate.pem -CAkey sampleCACertificate.key -CAcreateserial -out deviceCert.crt -days 365 -sha256

Create a certificate file that contains the device certificate and its registered CA certificate.

$ cat deviceCert.crt sampleCACertificate.pem > deviceCertAndCACert.crt

11.Install mosquito client to send MQTT messages using the above device certificate to connect to AWS IoT

Get AWS IoT Endpoint

aws iot describe-endpoint

Replace <endpoint> from the below command with the endpoint displayed

mosquitto_pub --cafile root.cert --cert deviceCertAndCACert.crt --key deviceCert.key -h <endpoint> -p 8883 -q 1 -t  foo/bar -i  anyclientID --tls-version tlsv1.2 -m "Hello" -d

You will see a TLS failure when you run the command because AWS IoT disconnects the connection after the registration of the device certificate. Now view the certificate in the AWS IoT Console

In order to Deactivate the certificate 

aws iot update-ca-certificate --certificate-id <certificateId> --new-status INACTIVE

To Revoke the CA Certificate permanently  

aws iot update-certificate --certificate-id <certificateId> --new-status REVOKED

References:

https://aws.amazon.com/blogs/iot/just-in-time-registration-of-device-certificates-on-aws-iot/

https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/

https://www.slideshare.net/AmazonWebServices/the-lifecycle-of-an-aws-iot-thing