1. 程式人生 > >How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities

How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities

NOTE: This blog post describes important public key infrastructure (PKI) issues related to browser and mobile application connectivity to AWS IoT Core. For information about public key certificates and TLS, see Chain of Trust and Certificate Authorities in High Performance Browser Networking.

Overview

Google, Apple, and Mozilla have announced that, starting October, 2018, they will deprecate trust in all Symantec root certificate authorities (CAs), including the VeriSign Class 3 Public Primary G5 root CA used to sign AWS IoT Core server certificates. For information, see the

Google announcement, the Apple announcement, and the Mozilla announcement.

The decision to no longer include these CA certificates will disrupt mobile and web applications that rely on the certificate trust stores provided by their mobile operating systems or browsers. Users might see warning notifications in their browsers. Mobile applications might be unable to establish connections to their

AWS IoT Core endpoints.

Deprecating trust in a CA is a normal process on the internet. Web servers typically address this by switching to a different trusted CA to sign their server certificates. The process is transparent to end users because browsers include a large trust store with many CAs. In the IoT space, the story is a little bit more complicated. Due to memory constraints, devices might trust only a single CA and it might be difficult to update firmware on those devices to add new CA certificates. Changing the signing CA for a server certificate of an endpoint will prevent those devices from connecting to that endpoint.

The AWS IoT Core solution

AWS IoT now provides additional customer endpoints that present Amazon Trust Services (ATS) signed server certificates. ATS CAs are trusted, by default, in most popular browsers and operating systems, including iOS, Android, Chrome, Firefox, Windows, and most common Linux distributions. Earlier this year, the AWS Security team published a blog post that outlined our efforts to migrate AWS services to ATS signed server certificates. Many AWS services, including Amazon DynamoDB and Amazon EC2, are already presenting these server certificates when customers call their APIs.

To maintain backward compatibility with devices that only trust server certificates signed by the VeriSign Class 3 Public Primary G5 root CA, AWS IoT Core will continue to provide endpoints that authenticate with server certificates signed by that CA. These certificates will continue to be renewed on a regular basis.

We strongly recommend that all customers use the following instructions to get their new Amazon Trust Services endpoint and use it in mobile and browser apps that connect to AWS IoT Core. We also recommend that customers start migrating their device fleets to trust Amazon Trust Services root CAs and connect to Amazon Trust Services endpoints.

Keep these things in mind when you update your mobile or browser app or migrate your fleet:

  • You must explicitly request an Amazon Trust Services endpoint for each region in your account. Any existing customer endpoint you have is most likely a VeriSign endpoint. If your endpoint has “-ats” at the end of the first subdomain, then it is an Amazon Trust Services endpoint. For example, ‘asdfasdf-ats.iot.us-east-2.amazonaws.com’ is an ATS endpoint.
  • IoT endpoints for jobs and the credentials provider are not affected. They are already serving Amazon Trust Services signed certificates.
  • VeriSign and Amazon Trust Services endpoints in the same account and region are interoperable. The only difference between the endpoints is the root CA of the certificate they serve. Devices can switch back and forth (provided they have both certificates) and communicate with each other with no additional changes or registration. This means a phased transition is possible (and recommended).
  • New regions launched after May, 2018 serve Amazon Trust Services signed certificates only.
Region name Region Available root CAs*
US East (Ohio) us-east-2 VeriSign, ATS
US East (N. Virginia) us-east-1 VeriSign, ATS
US West (Oregon) us-west-2 VeriSign, ATS
Asia Pacific (Singapore) ap-southeast-1 VeriSign, ATS
Asia Pacific (Sydney) ap-southeast-2 VeriSign, ATS
Asia Pacific (Tokyo) ap-northeast-1 VeriSign, ATS
Asia Pacific (Seoul) ap-northeast-2 VeriSign, ATS
EU (Frankfurt) eu-central-1 VeriSign, ATS
EU (Ireland) eu-west-1 VeriSign, ATS
EU (London) eu-west-2 VeriSign, ATS
China (Beijing) cn-north-1 VeriSign, ATS
Asia Pacific (Mumbai) ap-south-1 ATS
AWS GovCloud (US) us-gov-west-1 ATS

*AWS IoT Core regions added in the future will support the Amazon Trust Services root CA only

How to set up your Amazon Trust Services endpoint

  1.  Create your ATS endpoint
    • Call the describe-endpoint API with the endpointType parameter set to iot:Data-ATS. In the AWS CLI, you can use the following command: aws iot describe-endpoint --endpoint-type iot:Data-ATS .
    • If successful, you should receive an endpoint in the form prefix-ats.iot.region.amazonaws.com. This API call is idempotent in the sense that the first call creates an endpoint, and subsequent calls return the same endpoint.
  2. Download the ATS root CAs to your devices.
    • Refer to the documentation on Server Authentication in AWS IoT Core and follow the links to the desired Amazon Trust Services CA Certificates (ex. RSA or ECC).
    • Save these certificates as .pem files and copy them to your devices
  3. Connect Away!
    • Update your mobile and browser apps and the firmware of your devices with the new endpoint.
    • Test & Deploy!

NOTE:  ATS endpoints are now presented by default in the console.  If you need to get a VeriSign endpoint, simply call the describe-endpoint API with no “–endpoint-type” flag.  

相關推薦

How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities

NOTE: This blog post describes important public key infrastructure (PKI) issues related to browser and mobile application connectivity to AWS IoT

How Artificial Intelligence Is Helping Children And The Elderly

Although most people don't realize it, AI is already helping humanity to meet some growing challenges. It's being used to help us care for the elderly and

How machine learning is helping marketers get the edge

Some say marketing is an art. Sure, being creative with your slogans, copywriting and other marketing collateral is important but the'art' component should

Questions fréquentes (FAQ) sur AWS IoT Core

Q : Qu'est-ce que la passerelle pour les appareils ? La passerelle pour les appareils représente la pierre angulaire de la communica

AWS IoT Core Overview

AWS IoT Core is a managed cloud service that lets connected devices easily and securely interact with cloud applications and other devices. AWS Io

AWS IoT Core Resources

Amazon Web Services is Hiring. Amazon Web Services (AWS) is a dynamic, growing business unit within Amazon.com. We are currently hiring So

Présentations de AWS IoT Core

AWS IoT Core est un service basé sur le cloud géré qui permet aux appareils connectés d'interagir de manière simple et sécurisée avec d'autres app

Configuring Cognito User Pools to Communicate with AWS IoT Core

AWS IoT Core supports certificate-based mutual authentication, custom authorizers, and Amazon Cognito Identity as way to authenticate requests to

AWS IoT Core Features

The Rules Engine makes it possible to build IoT applications that gather, process, analyze and act on data generated by connected devices at gl

第七篇:AWS IoT Core服務成本優化

AWS IoT 物聯網系列部落格 當前物聯網環境中,裝置型別多種多樣,連線方式不一而足。為了幫助讀者更好的理解並運用 AWS IoT 相關服務,我們提供了一個完整的 IoT 起步指南,包含裝置的註冊及上線、裝置管理、使用者身份及許可權管理以及成本控制,通過這一系列的起步指南,

Tarification AWS IoT Core

2 250 000 minutes de connexion 500 000 messages 225 000 opérations exécutées sur le registre ou les shadows d'appareil

AWS IoT Core Pricing

2,250,000 minutes of connection 500,000 messages 225,000 Registry or Device Shadow operations 250,000 rules t

Using AWS IoT Core in a Low-Power Application

At AWS, we work closely with customers to assist them in building various types of IoT solutions. We often hear from customers about the need to m

AWS IoT Core 定價

2250000 分鐘/連線 500000 條訊息 225000 項登錄檔或裝置影子操作 250000 條觸發規則和 250000 項執行操作 例如,免費套餐允許您執行 50 臺裝置的工

Setting Up Just-in-Time Provisioning with AWS IoT Core

In an earlier blog post about just-in-time registration of device certificates, we discussed how just-in-time registration (JITR) can be used to a

AWS IoT Core 常見問題

問:如何定義和觸發規則? AWS IoT Core 規則包含兩大部分: SQL 語句:指定要應用規則的釋出/訂閱主題、要執行的資料轉換(如有的話)以及執行規則的條件。該規則應用到在指定主題上釋出的每一條訊息。 操作列表:

AWS IoT Core Getting Started

EIS-D210, wireless sensor management Edge Intelligence Server (EIS) is software and hardware integrated solution for IoT and cloud applicatio

AWS IoT Core FAQs

Q: What is the Device Gateway? The Device Gateway forms the backbone of communication between connected devices and the cloud capabi

【Android】AS報錯:Configuration on demand is not supported by the current version of the Android Gradle

轉載請註明出處,原文連結:https://blog.csdn.net/u013642500/article/details/80218299 【錯誤】 Configuration on demand is not supported by the current version o

Is AI Automated Coding the Next Era of Programming?

Automation is a complex topic that has received a lot more focus in recent years. Many experts have been predicting that many unskilled jobs could soon be