Intel® Software Guard Extensions (Intel® SGX)
Discussion board focused on hardware-based isolation and memory encryption to provide extended code protection in solutions.

Unable to use the registered development certificate for remote attestation of Intel SGX

yeongjin_j_
Beginner
536 Views

 

Hi,

To test/use the remote attestation functionality, I have registered myself to Intel Trusted Services Infrastructure and sent a self-signed certificate.

After getting the response, I tried to use various methods to connect to the URL:

https://test-as.sgx.trustedservices.intel.com:443/

I tried:

1. TLSv1.2 connection using OpenSSL

2. Use web browser by setting the client certificate as the requested one

3. Clone this (https://github.com/svartkanin/linux-sgx-remoteattestation) repository and set my certificate in that code.

 

However, from all of the methods that I listed, what I keep getting is that TLS connection cannot be established.

I have checked PCAP during the communication and I can see that client requests TLSv1.2,after client certificate / client key exchange / client certificate verification, the IAS server just send FIN (disconnect).

My clue is that my self-signed certificate is not registered correctly

(although from access.log on my server I can see that the Intel IAS have grabbed my certificate),

but registration service representative recommended me to post a question at this forum.

Is there anyone who suffered the same problem?

 

0 Kudos
3 Replies
Roshan_Mehta
Beginner
536 Views

Did you make it work? I am facing the same problem.

0 Kudos
Hoang_N_Intel
Employee
536 Views

First, you need to make sure that you are using the correct cert and key by running these two commands:

$ openssl x509 -noout -modulus -in client.crt 
$ openssl rsa  -noout -modulus -in client.key
They should display the same modulus info.
 
Then you need to display the cert to make sure that it is the cert that you have submitted to Intel:
$ openssl x509 -in client.crt -text
 
Finally, test the connect with the cert to see whether you can complete the SSL handshake or not:
$ openssl s_client -connect test-as.sgx.trustedservices.intel.com:443 -cert client.crt -key client.key
 
Please note that test-as.sgx.trustedservices.intel.com is for the DEV environment. Production has a different endpoint.
0 Kudos
Mon__Eddie
Beginner
536 Views

I have the same issue and would like to know how to address it. 

0 Kudos
Reply