AWS IOT identifies and secures devices by putting an x509 certificate in each one.
I’d like to use this procedure with assigning certificates to AWS IOT devices.
I tried using a LetEncrypt certificate to do this, but it fails with this error…
An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true
This is complaining that the LetsEncrypt certificate lacks, basicConstraints = CA:TRUE, right?
So what are my options? Paying a small fortune for certificates is not practical, the devices are too cheap (~$10 retail). Is my only option a self signed CA?
Is there any real downside to using a self-signed CA for this? I need to be the CA since I need to control the certificates as they are issued. If anyone can make, they can clone the devices. I don’t mind if they get cloned, I just don’t want to be paying for the cloud services of some other company’s devices.
Another solution would be to get thousand of trust signed certificates and load them into both Amazon and the devices. AWS also supports doing it that way. This scheme is harder to keep track of since I have to explicitly list every valid certificate at Amazon.