2.2.9 Download Certificates and Core Software

It is extremely important to download the keys and certificates for client authentication now. Although certificates can be downloaded at any time, this is the only opportunity to download the private key. When using Hardware Security Integration (HSI), these keys will be overwritten. Unless you are very comfortable with HSI, it is a good idea to try out Greengrass without HSI at first. After the Greengrass core is totally functional, then you can use the Hardware Secure Element to implement HSI to add another layer of security to the Greengrass core.

These downloaded credentials are used by the AWS endpoint to authenticate the Greengrass core. TLS Client authentication is the mechanism used for this validation. Make sure the download archive file is protected against unauthorized copying by storing in a secure location.

After downloading the keys and certificate, you must also download a Root CA certificate that corresponds to the AWS endpoint to which the Greengrass core talks. Press the “Choose a root CA” button and then download the correct certificate for your endpoint. In this example, the certificate is “Amazon Root CA 1”. This root CA certificate is the certificate that validates the AWS endpoint, and is not necessarily the same certificate used to sign the client certificate.

Rename “Amazon Root CA 1” to root.ca.pem.

After downloading the resource as a targ.gz file, downloading “Amazon Root CA 1” and renaming it to root_ca_pem, files similar to the ones shown below should be displayed on your host PC:

AWS IoT Greengrass core software is already included in the Microchip Linux distribution.