AWS Certificates : Fluke Process Instruments

AWS Certificates

Utilising a Vector with the AWS cloud platform is not straight forward and simply uploading your certificates will most likely result in a Certificate Error, "SSL key pair is not valid":

This is because AWS can generate a cert and key pair for your device, but they use an unpublished CA to sign it, so the Vector cannot verify its authenticity and will reject it on reboot.

Therefore the certs need to be signed with our own CA and then that is uploaded to AWS.

This will be made easier to do in future, but for the meantime, the below process must be followed (as of firmware version 2.0.160).

Please note that the below routine requires a Linux terminal, so for those partners using Windows PCs the simplest way to accomplish the below, is by downloading Cmder. https://cmder.app/

This is a portable, cut down, Linux-like command line interface for Windows. Using this will allow you to follow the steps below with no changes.

CA Cert Generation

Generate your own CA root cert and key (in a Linux terminal) - fill in the details appropriately but the defaults will generally be enough:

# CA cert and key
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout ca.key -out ca.crt

Upload CA root cert to AWS IoT (AWS IoT web page):

Make sure you are logged in to your AWS account
Use left hand side menu to go the Secure > CAs
Click on Register button
Click on Register CA and follow the instructions (you need to create a verification certificate to prove that you have the private key, then upload the two certs, ca.crt and the verification cert that you just created)
Make sure you activate the CA (you can do this by ticking the box when registering, or afterwards if you prefer)

Device Cert Generation

Use your own CA to generate and sign a cert for your device (in a Linux terminal) - again you can get away with using the defaults when filling in the details although the common name is important to get right (it must match the device’s hostname) and the password must be left empty otherwise the device can’t use its own private key:

# client key pair
openssl genrsa -out client.key 2048
openssl req -out client.csr -key client.key -new # (common name should match device’s hostname)
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650

AWS Thing

Create a Thing to manage the AWS IoT connection to your device (AWS IoT web page):

Use left hand side menu to go to Manage > Things
Click on Create Things
Select Create single thing and click next
Give your thing a name (the device serial number is recommended, eg. V4D-20090088) and click next
Select “Use my certificate”, then select “CA is registered with AWS IoT” and choose your CA cert from the dropdown
Click on “Choose file” to upload client.crt, then click next
Choose to add a policy document, use the advanced mode and add something like this:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iot:Publish",
"iot:Receive",
"iot:RetainPublish"
],
"Resource": [
"arn:aws:iot:us-west-2:409212897757:topic/irisys/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Subscribe"
],
"Resource": [
"arn:aws:iot:us-west-2:409212897757:topicfilter/irisys/*"
]
},
{
"Effect": "Allow",
"Action": [
"iot:Connect"
],
"Resource": [
"arn:aws:iot:us-west-2:409212897757:client/irisys-*",
"arn:aws:iot:us-west-2:409212897757:client/V4D-*"
],
"Condition": {
"ForAllValues:StringEquals": {
"iot:ConnectAttributes": [
"LastWill"
]
}
}
}
]
}

You will need to change the arn addresses above since they have require your own account code in them (409212897757)

You can find your own Account number by clicking on your name in the AWS menu bar and it is displayed in the drop down next to “My account”.

The policy doc is crucial since it determines which client ids are allowed to connect and which topics we will allow publishing and subscribing to. My example above lets any client id starting with V4D- connect (which is what devices will connect as by default) or any client id starting irisys-. In the example, I allow subscribing and publishing to anything under the irisys top level topic (note that the use of * as a wildcard is deliberate- usually you would use # in MQTT, but the policy doc is not parsed as that syntax; the docs say: “When you specify topic filters in AWS IoT Core policies for MQTT clients, MQTT wildcard characters + and # are treated as literal strings. Their use might result in unexpected behavior.”).

Find the endpoint for your AWS IoT MQTT broker (AWS IoT web page):

Use left hand side menu to go to AWS IoT > Settings and copy the endpoint address from near the top of that page (it will look something like: a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com)

Grab the AWS root certificate:

Download https://www.amazontrust.com/repository/AmazonRootCA1.pem

Connectivity Test

Test connectivity to broker on PC: note that the client id must start irisys- or V4D- and that the topic must start with irisys/:

Test subscribing to the MQTT broker (Linux terminal):

Mosquitto command line (make sure to change the URL for your endpoint):

mosquitto_sub --cafile AmazonRootCA1.pem --cert client.crt --key client.key -h a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com -p 8883 -q 1 -d -v -t irisys/# -i irisys-sub

Paho command line (make sure to change the URL for your endpoint):

paho_c_sub --cafile AmazonRootCA1.pem --cert client.crt --key client.key -c ssl://a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com:8883 -q 1 -t irisys/# -i irisys-sub

Test publishing to the MQTT broker(Linux terminal):

Mosquitto command line (make sure to change the URL for your endpoint):

mosquitto_pub --cafile AmazonRootCA1.pem --cert client.crt --key client.key -h a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com -p 8883 -q 1 -d -t irisys/V4D-20090088/status -i irisys-pub -m "Hello, World"

Paho command line (make sure to change the URL for your endpoint):

paho_c_pub --cafile AmazonRootCA1.pem --cert client.crt --key client.key -c ssl://a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com:8883 -q 1 -t irisys/V4D-20090088/status -i irisys-pub -m "Hello, World"

Vector Configuration

Before doing anything on the Vector, double check that the onboard time and date are set correctly otherwise the Certs will be invalidated.

Connect to the Vector and go to SETTINGS > SITE tab.
(If connecting via Estate Manager switch to 'Live View').
Confirm that the Device Time is correct. If not, click the 'Sync Time' button,

It is important that the correct date and time are set before continuing.

Now you can configure your Vector to connect to the MQTT broker:

Navigate to SETTINGS > SECURITY tab
Upload ca.crt (your own CA root cert) as your “Security Certificate Authority”

It is important to upload the CA cert first before the client certs.

Upload client.key and client.crt as your “Custom Security Certificates”
Save changes
Reboot the Vector via the 'Actions' button in top right

Rebooting the Vector at this point is important - do not skip this step.

After the reboot reconnect to the Vector and go back to the SETTINGS > SECURITY tab
Confirm no SSL error message appears.
Now add your MQTT broker settings...
Navigate to SETTINGS > MQTT
Add a broker with your endpoint address (eg. a2g9ft87j1defk-ats.iot.us-west-2.amazonaws.com)
Port should be 8883
Enable TLS (I don’t seem to need TLS insecure set)
Enable your chosen topics- chosen QoS must be 0 or 1

AWS does not support QoS 2

Remember to click the button to Save your changes.

Final Steps

If the device is failing to connect after following the instructions, make sure the policy doc you created is associated with your device.

In AWS IoT go to All devices > Things, click on your device and go to the certificates tab. Click on your certificate and make sure your policy is in the list of Policies at the bottom of the page. Add it if not.

Make sure that the correct version of your policy is active by clicking on it and checking the active version.

AWS Certificates Print