I have created a root cert with openssl and a device cert and key signed by the root cert.
I then upload the root cert to Cumulocity and try to establish proof of possession but I always fail at that step. I create the signed verification code fine and check for newlines but I always get: Cannot verify signature for certificate with fingerprint: e9a62fb7e97083b6c and tenant id: t2081875008.
Do I need to establish proof of possession or is that only needed for the bootstrap process?
I must be missing something as this is pretty straightforward. Any suggestions?
I create certificates based on your guide and then try to connect both with my device and with a leshan java client. Both error out. I am also unable to succeed in the proof of possession part..
I am not sure what exactly would be helpful for you to know regarding my setup. Please ask away.
Is there an instance where I could test my device against Cumulocity? Meaning, could you provide me with working certificates (you can send me via pm if possible) so I can reliably test my setup?
Dear Hariss,
I have enabled the new CA Feature on your partner tenant and created a Root CA. This way there is no proof of possession possible as Cumulocity itself created it. The device can now request to receive a device certificate from the platform. I know this is an alternative process to providing the root CA from an external source but this approach is also an important scenario which is practically relevant if the customer uses the CA feature of Cumulocity.
BR,
Christian
here is Christian from Cumulocity Support team and I will try to solve this issue on a voluntary basis.
First some hints to “proof of possession” (PoP):
The core reason for it is, that Cumulocity must be sure that the tenant which uploads a certificate actually owns the private key for that certificate.
A certificate chain works also without PoP, if no DOS scenario appears. DOS = Denial-of-Service Attack, see e.g. All You Need to Know about Denial-of-Service Attack
To your issue:
First I will check if PoP works in general in the environment you use.
Then I will check the certificates in your client.
I would like to make it work with providing my own root ca, therefore PoP is important to get right. Here are the commands that I use to create the root and then sign the device cert as well ass perform proof of possession:
haris@hak:~$ openssl genrsa -aes256 -out rootCA.key 4096
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
haris@hak:~$ openssl req -new -x509 -days 3650 -key rootCA.key -sha256 -extensions v3_ca -out rootCA.pem -subj “/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=RootCA” -addext “basicConstraints=critical,CA:TRUE” -addext “keyUsage=critical,digitalSignature,cRLSign,keyCertSign”
Enter pass phrase for rootCA.key:
haris@hak:~$ openssl genrsa -aes256 -out device.key 4096
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
haris@hak:~$ openssl req -new -key device.key -out device.csr -subj “/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=ADS700”
Enter pass phrase for device.key:
haris@hak:~$ openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.pem -days 365 -sha256 -extfile <(echo “basicConstraints=critical,CA:FALSE
keyUsage=critical,nonRepudiation,digitalSignature,keyEncipherment”)
Certificate request self-signature ok
subject=C = US, ST = State, L = City, O = Organization, OU = OrgUnit, CN = ADS700
Enter pass phrase for rootCA.key:
haris@hak:~$ cat device.pem rootCA.pem > deviceChain.pem
haris@hak:~$ openssl verify -CAfile rootCA.pem device.pem
device.pem: OK
haris@hak:~$ openssl dgst -sha256 -sign rootCA.key verification_code.txt | openssl base64 -A > signed_verification.txt
Enter pass phrase for rootCA.key:
Hope the above clears some stuff up. I am using my company’s tenant and the certificate that I create with the above.
in the meantime I tested the proof of possession in my test tenant on eu-latest.cumulocity.com, it works.
I encrypt the verification code using the private key of the certificate to produce the signed verification code. For it I use the following OpenSSL command:
openssl dgst -sha256 -sign <private.key> <verification_code.txt> | openssl base64 -A
E.g.
openssl dgst -sha256 -sign “G:\My Drive...\CHH2_CA\CHH2_CA.key” “C:...\CHH2_CA.txt” | openssl base64 -A
The private key file “CHH2_CA.key” should contain text like this:
-----BEGIN EC PRIVATE KEY-----
MHcC…
…aEuw==
-----END EC PRIVATE KEY-----
And the verification_code.txt is downloaded from Device Management - rootca - field “Verification code”
I have support access on your tenant and all what I see in your tenant is fine.
Please try my “openssl dgst…” command and let me know the result.
If you don’t have success, then I will try to reproduce your complete procedure.
I followed your suggestion and I get the same result:
haris@hak:~/certs$ openssl dgst -sha256 -sign rootCA.key verification_code.txt | openssl base64 -A
Enter pass phrase for rootCA.key:
R39xe5kgN4AvuAB5RSJp5KCHIOKqqFNlPm7+djaIwNFhfHSQTQ4zSSqOqyRRFkQaDFEDeBlxvtzd11/QNWLVcd2S1XLu051QV8nYxXm4o9gnepORcCnsToijKks6s4GezGJFWPcI0C5TS9FzGhnl7rfkoW+wRnjqpZpVz1nfVKcTticsamnLZG9jGYZ+Z3uLrFI3IVZYs5BakzkbMJYJpg5VMsNljFkztFS0Gn0LzBH6ki7NfaqE8cXCALM7c9s9u8eLe3eMe4LQEkCaC8vjwJt3vkGPLaUohXGBi6XE0cQTCu23VFpE3gDUDIwYtOD+W0AOs5WKK6fiTO0+
Result: Cannot verify signature for certificate with fingerprint: 6db6fcf0b1ed6463781e6cc498fffb148dea3f05 and tenant id: t2081875008.
your steps are correct.
I followed them and finished my POP successful.
So far I have no idea why it fails on your site.
I will discuss your issue with our R&D and come back here.