AWS IoT Core Integration- Private Key issues?


I’m testing out AWS IoT Core integration and when I try read the private key that is issued by Mender I am getting errors. The private key I’m testing can be found in the mender-configure area on the device or in the mender web panel under the device variables.

openssl rsa -noout -modulus -in c:\certs\in.key

unable to load Private Key
34359836736:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
34359836736:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_ALGOR
34359836736:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=pkeyalg, Type=PKCS8_PRIV_KEY_INFO
34359836736:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:crypto/pem/pem_pkey.c:88:

Again when using AWS IoT JS Library

  opensslErrorStack: [
    'error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib',
    'error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error',
    'error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error',
    'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag',
    'error:04093004:rsa routines:old_rsa_priv_decode:RSA lib',
    'error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error',
    'error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error'
  library: 'asn1 encoding routines',
  function: 'asn1_check_tlen',
  reason: 'wrong tag',

Has anyone experienced the same issues? I’ve triple checked the key, made sure there’s no spaces, the begin and end tags are right etc. I’ve copied into notepad and back to make sure there’s no weird character funnies, copied straight from Mender’s device information page too.

I’ve created a new certificate manually in AWS for the “thing” and downloaded a private key through the AWS Console, this works fine using the same code I’m trying.

Really looking forward to figuring out why, using AWS IoT with Mender managing it will be very neat. Maybe there’s something I am missing?

Thank you

Noticed the same thing here while trying out the Mender 3.4 AWS IoT integration.

Generating the certificate and keypair manually using the aws iot cli tool gives me an rsa key that is quite different than the one I get through mender-configure.

The manually generated key appears to be a PKCS#1 RSA (header starts with -----BEGIN RSA PRIVATE KEY-----), while the one I get through mender-configure seems to be a traditional PKCS#8 (header starts with -----BEGIN PRIVATE KEY-----). The keys seems shorter also, maybe 2048 vs 256 bits?

Just to give more context to my use-case, I connect a Mosquitto bridge to the AWS IoT MQTT broker using the key and cert. No issue if using the manually generated key and cert, but what I receive through mender-configure won’t work. I was curious as if there would be some parameters about how the key/cert are generated?

Btw, here is the aws cli command I use to manually create the keypair and certificate:
aws iot create-keys-and-certificate --set-as-active --certificate-pem-outfile cert.crt --private-key-outfile private.key --public-key-outfile public.key --region us-east-1

Any insight would be appreciated.

So apparently, fiddling around I figured out that the keys provided through mender-configure are ECC 256 bits keys. For some unknown reason, openssl doesn’t like that the header is -----BEGIN PRIVATE KEY----- (I suppose it thinks it should be a PKCS#8 key). Instead, simply modifying the header to -----BEGIN EC PRIVATE KEY----- fixed the issues for me.