3

I use the following curl command to publish some data from an IoT Thing to AWS's IoT Core service.

curl.exe --tlsv1.2 --cacert root-CA.pem --cert certificate.pem --key private.pem -X POST -d "$($Body)" "https://ats.iot.eu-west-1.amazonaws.com:8443/topics/example/1"

The command works perfectly, but I would like to leverage the features of the Invoke-WebRequest commandlet. Unfortunately I cannot figure out how to rewrite the curl command, primarily because of the two certificates and key file.

What I have so far is:

# Set TLS to use version 1.2 (required by AWS)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Make the request
Invoke-WebRequest -Method POST -UseBasicParsing -Uri "https://ats.iot.eu-west-1.amazonaws.com:8443/topics/example/1" -Certificate (Get-PfxCertificate .\certificate.pem) -Body "Some example data!" -ContentType "application/json"

The output of the command above is:

Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.

How can I use the Key and the Root CA cert as I am in the CURL command?

Arbiter
  • 450
  • 5
  • 26
  • It should be possible to merge both the private key and the certificate into a single PEM file - just copy and paste both of them back to back into a new file using a text editor. Try again in Powershell with the combined file. – Tomalak Aug 27 '19 at 16:52
  • @Tomalak I didn't know I could so that so that answers one question, but unfortunately same error: `Invoke-WebRequest : The request was aborted: Could not create SSL/TLS secure channel.` Thanks for helping! – Arbiter Aug 27 '19 at 17:15
  • I'm not 100% positive that it works that way, that why I posted it as a comment and not as an answer. Really hard to say without a more detailed error message. – Tomalak Aug 27 '19 at 17:22
  • Ah I see, and I agreed that there's a lack of detail here, I'm not sure how to get better error data. The `-verbose` common parameter gives me no more information... – Arbiter Aug 27 '19 at 17:30
  • My first step would be to examine the result from calling `Get-PfxCertificate` on the combined file. Does it check out? Does it say it has a private key? If yes, does curl like it, instead of separate cert and key parameters (not sure if curl supports that, but there's a chance it does). – Tomalak Aug 27 '19 at 17:41

1 Answers1

0

I got this working by using OpenSSL.exe to create a PFX certificate containing the Private Key and Client Certifiate (following a tip from Tomalak in OP comments).

openssl.exe pkcs12 -export -in ..\certificate.pfx -inkey ..\private.pem.key -out ..\CertificateWithKey.pfx

I was then able to use Invoke-WebRequest as required to communicate with AWS Services:

Invoke-WebRequest -Method POST -UseBasicParsing -Uri $URI -Certificate (Get-PfxCertificate CertificateWithKey.pfx) -Body "{'message':'Hey hey!'}" -ContentType application/json

Arbiter
  • 450
  • 5
  • 26