I'm trying to register an IoT device with Google Cloud IoT Core, and I'm having issues signing the device public key with a CA certificate installed on Google Cloud (device registry).

Following are Google's requirements:

• CA and device certificates must be X.509v3, encoded in base64, wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
• CA certificates do not need to be self-signed ("root CA"); device certificate must be signed by a specific CA certificate at the registry level.
• Device public keys that are not signed by the registry-level certificates are rejected by Cloud IoT Core.
• CA and device certificates must be in PEM format

After going through previous responses on StackOverflow and elsewhere, this is what I've tried so far (using default config file):

Option 1

1. openssl req -x509 -nodes -newkey rsa:2048 -days 365 -keyout ca.key -out ca.crt -subj "/CN=unused"
2. openssl req -nodes -newkey rsa:2048 -days 365 -keyout device.key -out device.csr -subj "/CN=unused"
3. openssl x509 -req -days 365 -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt

Option 2

1. openssl req -new -x509 -nodes -days 365 -newkey rsa:2048 -keyout ca.key -out ca.crt -subj "/CN=unused"
2. openssl genrsa -out device.key 2048
3. openssl req -new -days 365 -key device.key -out device.csr -subj "/CN=unused"
4. openssl x509 -req -days 365 -in device.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out device.crt

The certificates get created just fine in both cases, but when I try to register the device with this certificate, I get an error stating that the device certificate could not be verified against the CA certificate.

What am I doing wrong while signing the device certificate? You can ignore Cloud IoT configuration as I've verified it works (without CA certificate).

Many thanks!

Option 1 looks correct, as it mentions here: https://cloud.google.com/iot/docs/how-tos/credentials/keys.

It sounds like you have a registry level certificate specified.

What that means, is that in addition to creating the key pair like you have, you also need to register the public key with the certificate you've specified at the registry level. It's really confusing IMO and in most cases, not necessary.

Unless you need to have one for security reasons specific to your setup, remove any registry level certificate you have, and just register the device with the created keys.

If that's not it, verify that when you're creating the device, you're specifying an RSA key with the x509 wrapper (there's options for RS256, ES256, RS256_X509, ES256_X509). I've definitely done that before where I had it with X509, but specified RSA by accident.

Thanks for the responses. I do need the registry certificate to ensure fraudulent devices are not registered. After hours of trial and error, it eventually worked when I specified a valid subj instead of "/CN=unused". Unfortunately, Google documentation didn't state that this might be a problem. The signing procedure was correct though.