Validating Client Certificates in AWS IoT Core Using OCSP
Streamlining Client Certificate Validation with OCSP in AWS IoT Core
masainox
Amazon Employee
Published Oct 16, 2024
In IoT, verifying the validity of client certificates is crucial. It is essential to promptly detect whether a certificate presented by a client has been compromised or expired. To address the challenges of traditional Certificate Revocation Lists (CRLs), the Online Certificate Status Protocol (OCSP) was introduced.
CRLs presented several issues. First, the lists tend to grow large, requiring clients to frequently download these massive lists, which was inefficient. Additionally, delays in updating the lists often meant that revocation information was not reflected immediately. OCSP was introduced as a solution to provide real-time retrieval of certificate revocation statuses.
Today, I will explore how AWS IoT Core’s Custom Client Certificate Validation feature can be effectively used to validate OCSP responses.
AWS IoT Core’s Custom Client Certificate Validation, also referred to as Pre Auth, is a feature that invokes a Lambda function before a client establishes a TLS session using an X.509 certificate. This means that the Lambda function can be used to query an OCSP responder and easily validate the OCSP response.
The Lambda function being invoked is mapped to a custom domain, so setting up custom domain configurations is necessary.
In this case, we will enable the OCSP responder in AWS Private CA and issue a client certificate. The client certificate issued from this CA will include the OCSP responder’s URL as part of the Authority Information Access field.
Let’s start by preparing the configuration for the CA.
Create a CA
At this point, the status of the CA is set to "Status": "PENDING_CERTIFICATE".
To enable OCSP, you can configure the revocation-config.json file as shown below:
Update with the configuration
Let's check if the OCSP config is enabled.
From the web console, select Action > Install CA certificate. Once installed, the CA status will change to "Status": "ACTIVE".
Create a client CSR
Issue a certificate
Download the certificate
The downloaded certificate might have formatting issues where the certificate delimiters are not correctly separated, such as
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----. Correct the formatting by ensuring that each delimiter is on a new line.You can search for the Authority Information Access (AIA) field, which includes the OCSP Responder URL, using the following command:
To access the OCSP Responder via AWS CLI, you’ll need the CA certificate. First, download the CA certificate using the following AWS CLI command:
To query the OCSP responder, you can use OpenSSL to send an OCSP request. Here’s how to perform the OCSP query using the certificate and CA certificate:
Great! Since you received a “Response verify OK”, it means the OCSP verification was successful, and the certificate is valid. You’ve successfully queried the OCSP Responder and validated the client’s certificate.
Below is a sample code for a Lambda function that handles OCSP validation during the pre-authentication phase in AWS IoT Core:
- Receive the client and intermediate certificates from the event payload passed by AWS IoT Core.
- Extract the OCSP Responder URL from the Authority Information Access (AIA) field of the certificate.
- Send a request to the OCSP Responder to verify the certificate’s validity.
- The authentication is successful when the Lambda function returns
{'isAuthenticated': True}.
Make sure to set the appropriate Resource-based Policy so that AWS IoT Core can invoke the Lambda function. Additionally, attaching a role that allows access to CloudWatch Logs is crucial for monitoring and debugging.
In this case, I will use the domain configuration I previously created. At the time of its creation, the configuration was likely set up as follows:
To update the domain configuration for Custom Client Certificate Validation with your current AWS CLI version (aws-cli/2.18.0), you can modify the existing domain configuration to support this feature.
By updating the domain configuration as outlined, any MQTT access to this domain will now trigger the Lambda function for Custom Client Certificate Validation.
To test the connection and validate OCSP checks, you can use the
mosquitto_pub command to connect to AWS IoT Core via MQTT. Here’s an example of what the output might look like if the OCSP check is successful:We tried out how to perform client certificate validation using OCSP in AWS IoT Core. By leveraging this mechanism, it was relatively easy to validate certificates with OCSP. Since we’re using Lambda, it seems quite flexible and capable of handling various custom processes.
See you next time 👋
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.