My goal is to connect a device to AWS IoT using a private ECC key generated within the ATECC608. I have already successfully connected a device by generating a key/crt with openssl and then writing the key to the ATECC (as per the security guide instructions), but now want to test generating a secret key on the ATECC.
I followed the process using the generic sample setup for the ATECC, as per the Security user guide
I generated a self-signed CA certificate using these commands:
openssl ecparam -out ca.key.pem -name prime256v1 -genkey
openssl req -new -subj “/C=IE/L=Dublin/O=ACME Ltd/OU=Testing/CN=test.acme.com” -sha256 -key ca.key.pem -text -out ca.csr.tmpl
openssl x509 -in ca.csr.tmpl -text -out ca.crt.pem -req -signkey ca.key.pem
I am able to successfully generate a key using the mos tool with
mos --port ws://mydevice.local/rpc atca-gen-key 0 --dry-run=false
and that outputs a public ECC key, so the ATECC is working as expected
I then tried to use the atca-gen-cert command to generate a certificate using the self-signed CA cert, like this:
mos --port ws://mydevice.local/rpc atca-gen-cert 0 mydevice.crt.pem --dry-run=false --ca-cert-file ca.crt.pem --ca-key-file ca.key.pem --subject “/C=IE/L=Dublin/O=ACME Ltd/OU=Testing/CN=test.acme.com”
but this always outputs the error:
Error: /go/src/github.com/mongoose-os/mos/mos/x509utils/gen_cert.go:265: unknown key format EC PARAMETERS in ca.key.pem
I’m guessing there is some way the CA needs to be configured to be compatible with the ATECC, but I’m not really sure what that would be.
Am I doing the right thing here? My assumption is that I’ll get a .crt file out of this process and that I can write the .crt to the device and follow the AWS provisioning process as per the security guide.