0
votes

I am confused with the certificated associated with the google cloud iot core. which CA certificate is used at the registry level and how to generate it. And the "roots.pem" certificate used to communicate between device and cloud iot core using mqtt bridge, which i got from this link 'https://pki.google.com/roots.pem'. Is it different than the one which is associated with the registry level certificate?

I have tried adding roots.pem certificate but it throws an error that file is too big. I have also added public key which is used to authenticate device using public/private key pair it was added successfully. but i get confused which one to use and where to use and how to generate one.

How to verify Device with registry level ca certificates for more security?

I am using following command,

for getting roots.pem certificate 'https://pki.google.com/roots.pem'

for getting public/private key pair

openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem -days 1000000 -out rsa_cert.pem -subj "/CN=unused"
2

2 Answers

0
votes

I hope I can help answer your question. One thing that pops out is your use of the Google roots.pem. I'm not sure what that file is, but I haven't needed it in order to validate my GCP IoT clients. I use an openssl command nearly identical to yours (I just haven't been using the "-days:" parameter, but maybe I should!), then on the GCP Console web page for the device I use the "Add public key" to manually copy/paste the contents of the generated public key file (i.e.: "rsa_cert.pem"). Finally, I use the generated private key file (i.e.: "rsa_private.pem") in my code to sign the JWT.

Does that help? I'm not an "expert", but I've been working pretty regularly with this stuff for a couple months.

-C

0
votes

I personally use python to connect my device and the line of code looks like this:

self.Mqttclient = self.get_client(
        self.projectId, cloud_region, self.registryId, self.deviceId,
        self.credential, algorithm, root_certificate,
        mqtt_hostname, mqtt_port)

so yes I created the root.pem exactly like you did, and create the public and private file with a python script that basically is the same thing you do with openssl in command line.

You can have a look here for more info about certificates.