Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.
1453 Discussions

Help with Self-Signed Certificate in Remote Attestation

Drakeley__Sara
Beginner
‎09-12-2018 10:02 AM
1,188 Views

Hello,

I have created a self-signed certificate and sent it to Intel, and received back an SPID. I am trying now to verify that remote attestation works with this certificate (using the end-to-end example), and I am getting back a "Problem with local ssl certificate" error after message 2 is created. I have also installed the self-signed certificate in my local CA bundle. In addition, I get the correct "OK" coutput when I verify the certificate with: openssl verify -x509_strict -purpose sslclient -CAfile /path/to/intel-selfsigned.crt /path/to/intel-selfsigned.crt

Can anybody help me, especially one who has gotten a self-signed certificate to work?

The two main questions I have regarding the certificates are:

1. Is the certificate malformed in some way? For example, should the CN (Common Name) be localhost?

2. Have I installed the self-signed certificate to the CA bundle correctly?

Thanks in advance for your help!

 

Here is my output when running the end-to-end example:

INFO  : Curl initialized successfully
INFO  : Start connecting...
INFO  : Connection established
INFO  : New accept request, starting new session
INFO  : Connection from 127.0.0.1
INFO  : Verifying certificate: /C=<redacted>/ST=<redacted>/L=<redacted>/O=<redacted>/OU=<redacted>/CN=<redacted>/emailAddress=<redacted>
INFO  : Handshake successful
INFO  : Handshake successful
INFO  : Prepare Verification request
INFO  : Serialization successful
INFO  : Verification request received
INFO  : Call MSG0 generate
INFO  : Call sgx_get_extended_epid_group_id success
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG0 received
INFO  : Received extended EPID group ID: 0
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG0 response received
INFO  : Call sgx_create_enclave success
INFO  : Enclave created, ID: <someID>
INFO  : Call enclave_init_ra success
INFO  : Sending msg1 to remote attestation service provider. Expecting msg2 back
INFO  : MSG1 generated Successfully
INFO  : Serialization successful
INFO  : Send to client
INFO  : MSG1 received
INFO  : Retrieving SigRL from IAS
INFO  : sending url: https://test-as.sgx.trustedservices.intel.com:443/attestation/sgx/v3/sigrl/<GID>;
INFO  : Curl cert file: /path/to/intel-selfsigned.crt
INFO  : curl_easy_perform() failed: Problem with the local SSL certificate
INFO  :      Response status is: 0
INFO  :      Content-Length: 0
INFO  : Error, processing MSG1 failed
INFO  : Send to client
INFO  : Remote attestation done
ERROR  : Unknown socket error while reading occured!

0 Kudos

Link Copied

5 Replies
Scott_R_Intel
Employee
‎09-20-2018 05:21 AM
1,188 Views

Hi Sara.

How did you create your self-signed cert?  There is a step by step here to help:  https://software.intel.com/en-us/articles/how-to-create-self-signed-certificates-for-use-with-intel-sgx-remote-attestation-using

The CN can be anything...  it does not need to be "localhost".  Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"

Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works?  https://github.com/intel/sgx-ra-sample

Regards.

Scott

 

0 Kudos
Copy link
Duan__Bing
Beginner
‎11-06-2018 08:02 PM
1,188 Views

Scott R. (Intel) wrote:

Hi Sara.

How did you create your self-signed cert?  There is a step by step here to help:  https://software.intel.com/en-us/articles/how-to-create-self-signed-cert...

The CN can be anything...  it does not need to be "localhost".  Also, can you clarify what you mean by "installed the self-signed certificate to the CA bundle correctly?"

Finally, can you please try a different sgx ra sample with the "verbose" option to see if it works?  https://github.com/intel/sgx-ra-sample

Regards.

Scott

 

 

Can you provide some approach to generate IAS cert on Ubuntu? I am testing the sgx-ra-example, but I don't know how to make ias-ra-data.

0 Kudos
Copy link
bin__ch
New Contributor I
‎01-01-2019 11:59 PM
1,188 Views

how did you deal with it?   I met a same problem for run the sgx-ra-example.

0 Kudos
Copy link
Scott_R_Intel
Employee
‎01-03-2019 01:26 PM
1,188 Views

Hi all.

Though that particular article is using Windows, the exact same openssl commands can be used in Linux to create self signed certs.  The steps summarized below.  Note, I prepended openssl to each command instead of running them all in the openssl shell, but that will work also.

  1. Create the client.cnf file per that web page.
  2. openssl genrsa -out client.key 2048
  3. openssl req -key client.key -new -out client.req
  4. openssl x509 -req -days 365 -in client.req -signkey client.key -out client.crt -extfile client.cnf -extensions ssl_client
  5. openssl verify -x509_strict -purpose sslclient -CAfile client.crt client.crt

Regards.

Scott

0 Kudos
Copy link
Mic_B_Intel
Employee
‎05-01-2019 12:41 PM
1,188 Views

FYI...

That process works with OpenSSL V1.0.2g on Ubuntu 16.04.

It does not work with OpenSSL v1.1.0h on Ubuntu 18.04. The verification fails.

0 Kudos
Copy link
Reply

Community support is provided during standard business hours (Monday to Friday 7AM - 5PM PST). Other contact methods are available here.

Intel does not verify all solutions, including but not limited to any file transfers that may appear in this community. Accordingly, Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade.

For more complete information about compiler optimizations, see our Optimization Notice.