The CA certificate does not have the basicConstraints extension as true

Aleksander Aleksic picture Aleksander Aleksic · May 18, 2018 · Viewed 7.1k times · Source

I am following this AWS GUIDE on creating self-signed certificates. But after creating my CA, I try to upload it to AWS IOT I get this error:

Command:

aws iot register-ca-certificate --ca-certificate file://CA_cert.pem --verification-cert file://verificationCert.crt

Error:

An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true

Any help appreciated!

Answer

Han Park picture Han Park · Jun 4, 2018

I have also used AWS IoT and suffered same error, and I found the solution.

Reason of the error

The error occurs because basicConstraints extension in the CA certificate, which means that the certificate is CA so this certificate is able to sign other public keys to generate client certificates, is not set to TRUE.

Note that a client X's certificate contains X's public key signed by CA's private key. Other clients, for example Y, can verify the X's public key using CA's public key.

I think you had the error when you tried to generate CA certificate. The error message indicates that the CA's certificate is not allowed to sign other client public keys.

Below are how I did.

Solution

I assume that you already generate CA's key, rootCA.key.

We need a openssl config file, say rootCA_openssl.conf. Note that you can modify the values.

[ req ]
distinguished_name       = req_distinguished_name
extensions               = v3_ca
req_extensions           = v3_ca

[ v3_ca ]
basicConstraints         = CA:TRUE

[ req_distinguished_name ]
countryName              = Country Name (2 letter code)
countryName_default      = KR
countryName_min          = 2
countryName_max          = 2
organizationName         = Organization Name (eg, company)
organizationName_default = Deeply Inc.

Then generate CA's certificate using the config file, rootCA_openssl.conf.

openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr -config rootCA_openssl.conf
openssl x509 -req -days 3650 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem 

Now we have CA's certificate, rootCA.pem. Then you can follow the instructions in the AWS IoT documentation. For example:

# Get the registration code for the use below: 
# $ aws iot get-registration-code 

openssl genrsa -out verificationCert.key 2048

openssl req -new -key verificationCert.key -out verificationCert.csr
# Put the registration code in Common Name field

openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.crt -days 500 -sha256