服务器身份验证 - AWS IoT Core

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

服务器身份验证

When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device uses to authenticate the server. 身份验证通过 X.509 证书链的验证在 TLS 层进行。这与浏览器在您访问 HTTPS URL 时使用的方法相同。如果要使用您自己的证书颁发机构提供的证书,请参阅管理 CA 证书

When your devices or other clients establish a TLS connection to an AWS IoT Core endpoint, AWS IoT Core presents a certificate chain that the devices use to verify that they're communicating with AWS IoT Core and not another server impersonating AWS IoT Core. The chain that is presented depends on a combination of the type of endpoint the device is connecting to and the cipher suite that the client and AWS IoT Core negotiated during the TLS handshake.

终端节点类型

AWS IoT Core supports two different data endpoint types, iot:Data and iot:Data-ATS. iot:Data endpoints present a certificate signed by the VeriSign Class 3 Public Primary G5 root CA certificate. iot:Data-ATS endpoints present a server certificate signed by an Amazon Trust Services CA.

ATS 终端节点提供的证书由 Starfield 进行交叉签名。某些 TLS 客户端实现要求验证信任根,并要求将 Starfield CA 证书安装到客户端的信任存储中。

警告

建议不要使用对整个证书(包括颁发者名称等)进行哈希处理的证书固定方法,因为这将导致证书验证失败,因为我们提供的 ATS 证书由 Starfield 进行交叉签名并具有其他颁发者名称。

除非您的设备需要 Symantec 或 Verisign CA 证书,否则请使用 iot:Data-ATS 终端节点。Symantec 和 Verisign 证书已被弃用,并且大多数 Web 浏览器不再支持这两类证书。

您可以使用 describe-endpoint 命令创建 ATS 终端节点。

aws iot describe-endpoint --endpoint-type iot:Data-ATS

describe-endpoint 命令采用以下格式返回终端节点。

account-specific-prefix.iot.your-region.amazonaws.com

首次调用 describe-endpoint 时,会创建一个终端节点。对 describe-endpoint 的所有后续调用将返回同一终端节点。

For backward-compatibility, AWS IoT Core still supports Symantec endpoints. For more information, see How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities. ATS 终端节点上运行的设备与同一账户中 Symantec 终端节点上运行的设备可完全互操作,并且不需要任何重新注册。

注意

To see your iot:Data-ATS endpoint in the AWS IoT Core console, choose Settings. 控制台仅显示 iot:Data-ATS 终端节点。默认情况下,describe-endpoint 命令显示 iot:Data 终端节点以实现向后兼容。要查看 iot:Data-ATS 终端节点,请指定 --endpointType 参数,如上例所示。

Creating an IotDataPlaneClient with the AWS SDK for Java

By default, the AWS SDK for Java - Version 2 creates an IotDataPlaneClient by using an iot:Data endpoint. 要创建使用 iot:Data-ATS 终端节点的客户端,您必须执行以下操作。

  • Create an iot:Data-ATS endpoint by using the DescribeEndpoint API.

  • 在创建 IotDataPlaneClient 时指定该终端节点。

以下示例执行这两项操作。

public void setup() throws Exception { IotClient client = IotClient.builder().credentialsProvider(CREDENTIALS_PROVIDER_CHAIN).region(Region.US_EAST_1).build(); String endpoint = client.describeEndpoint(r -> r.endpointType("iot:Data-ATS")).endpointAddress(); iot = IotDataPlaneClient.builder() .credentialsProvider(CREDENTIALS_PROVIDER_CHAIN) .endpointOverride(URI.create("https://" + endpoint)) .region(Region.US_EAST_1) .build(); }

用于服务器身份验证的 CA 证书

Depending on which type of data endpoint you are using and which cipher suite you have negotiated, AWS IoT Core server authentication certificates are signed by one of the following root CA certificates:

VeriSign 终端节点(传统)

Amazon Trust Services 终端节点(首选)

注意

您可能需要右键单击这些链接,然后选择 Save link as... (将链接另存为...) 将这些证书另存为文件。

  • RSA 2048 bit key: Amazon Root CA 1.

  • RSA 4096 bit key: Amazon Root CA 2. Reserved for future use.

  • ECC 256 bit key: Amazon Root CA 3.

  • ECC 384 bit key: Amazon Root CA 4. Reserved for future use.

这些证书都由 Starfield 根 CA 证书进行交叉签名。All new AWS IoT Core regions, beginning with the May 9, 2018 launch of AWS IoT Core in the Asia Pacific (Mumbai) Region, serve only ATS certificates.

服务器身份验证指南

There are many variables that can affect a device's ability to validate the AWS IoT Core server authentication certificate. 例如,设备的内存可能太有限,无法容纳所有可能的根 CA 证书,或者设备可能会实施非标准的证书验证方法。由于这些原因,我们建议遵循以下准则:

注意

CA 证书具有一个过期日期,在该日期后,这些证书将无法用于验证服务器的证书。可能必须在 CA 证书的过期日期前替换这些证书。请确保可以更新所有设备或客户端上的根 CA 证书,以确保持续的连接并保持最新的安全最佳实践。

注意

When connecting to AWS IoT Core in your device code, pass the certificate into the API you are using to connect. 您使用的 API 因开发工具包而异。For more information, see the AWS IoT Core Device SDKs.