Using Self-Signed Certificates for Amazon Alexa Skills

Echo

If you want to implement your own Alexa Skills for your Amazon Echo and don’t intend to make them public, you can use a self-signed certificate for your web service where you host the skill.

I’ve been impressed on how many developers can’t make this work and have opted to use a Lambda function as a proxy, when it is very easy to create the self-signed certificate.

If you intend to publish your skill then you’d need to buy a SSL Certificate. These steps won’t help you.  You also need a real and trusted SSL Certificate if you want to host audio files to be used with the Audio SSML Tag.

Create a Self-Signed Certificate using OpenSSL

Note: The following steps will be performed in a Linux host with an Apache Web Server.

First verify that you have the openssl package installed in your server.  I think all Linux distributions come with this package pre-installed nowadays.  If you have a Debian-based Linux distribution like Mint, Ubuntu or Debian itself you can check that out with the following command:

$ dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                         Version             Architecture        Description
+++-============================-===================-===================-==============================================================
ii  openssl                      1.0.2d-3            amd64               Secure Sockets Layer toolkit - cryptographic utility

In order to create a SSL certificate that works with the Amazon Alexa Skills you first need to create a private key using this openssl tool. We’re going to store all certificates and keys under the folder /etc/ssl/alexa.  Create the private key as follows:

root@kagura:/etc/ssl$ mkdir alexa
root@kagura:/etc/ssl$ cd alexa
root@kagura:/etc/ssl/alexa$ openssl genrsa -out private-key.pem 2048
Generating RSA private key, 2048 bit long modulus
...................................................+++
.....................................................................+++
e is 65537 (0x10001)

So what’s just happened? We created a new RSA key of 2048 bits and it is stored in a file named private-key.pem. The longer the key, the most secure it is. If you’re wondering why it is called RSA it’s because those are the initial letters of the last names of its creators (Ron Rivest, Adi Shamir, and Leonard Adleman).

We will now use the openssl  application called req”, mainly used to create certificate requests, but can also create a self-signed certificate.  But first, since Amazon needs the fully qualified domain name of the server that is hosting the skill to be included in the certificate as a Subject Alternative Name, we’re going to create a configuration file for this req application to make things a lot easier.

Let’s create the configuration file as follows:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
 
[req_distinguished_name]
C = US
ST = Provide your two letter state abbreviation
L = Provide the name of the city in which you are located
O = Provide a name for your organization
CN = Provide a name for the skill
 
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @subject_alternate_names
 
[subject_alternate_names]
DNS.1 = Provide your fully qualified domain name

You need to provide the name of the state, city, organization and the name of your Amazon skill in the req_distinguished_name section. After that you have to provide the fully qualified domain name of your server in the subject_alternate_names section. That’s an extension of the version 3 of the X.509 standard format of public key certificates.

Your domain name must be exactly the same as the one used in your skill’s endpoint.  That means if your endpoint is https://skills.thescorpius.com/myskill then the fully qualified domain name you’re going to provide as a Subject Alternative Name must be skills.thescorpius.com.

Here’s an example for a Skill hosted in skills.thescorpius.com:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = FL
L = Miami
O = Scorpius
CN = Scorpius Skill

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @subject_alternate_names

[subject_alternate_names]
DNS.1 = skills.thescorpius.com

Now we’re ready to create the self-signed certificate like this:

root@kagura:/etc/ssl$ mkdir alexa
root@kagura:/etc/ssl/alexa$ openssl req -new -x509 -days 365 -key private-key.pem -config configuration.cnf -out certificate.pem

And now we have our certificate called certificate.pem that will last exactly one year from today.

Now go to the Amazon Developer Portal, go to your skill, click Edit and then SSL Certificate. Select the option I will upload a self-signed certificate in X.509 format and paste the contents of the certificate.pem file there.

 

Configuring the Self-Signed Certificate in an Apache Web Server

If you’re using an Apache Web Server to host your skill then you have to configure the recently created SSL certificate in it. Locate the configuration of your virtual host where your skill is being hosted and add the following lines:

SSLEngine on

SSLCertificateFile      /etc/ssl/alexa/certificate.pem
SSLCertificateKeyFile   /etc/ssl/alexa/private-key.pem

So it should look something similar to this:

<VirtualHost _default_:443>
	ServerName skills.thescorpius.com

        (...)

	SSLEngine on

	SSLCertificateFile      /etc/ssl/alexa/certificate.pem
	SSLCertificateKeyFile   /etc/ssl/alexa/private-key.pem

</VirtualHost>

Restart your Apache Web Server and your skill should start to work immediately!

10 thoughts to “Using Self-Signed Certificates for Amazon Alexa Skills”

  1. Did you really test this? Because self signed certificates are currently not working with custom skills. I don’t know why and amazon doesn’t give any hint.

    1. LIke I said in this article, it does work while the skill is in testing. If you want to publish your skill, you will need to buy a certificate. This article is for the people writing skills for their own use only.

      1. Did you really test it? Because here its Not working. Its clear that a pub skill requires a valid cert. With ngrok its also working fine.

        1. Of course I have tested it I wouldn’t have written the article otherwise. I have several skills that I use in a daily basis. My skills are still working so yes, this works fine since the first day.

          1. Strange! I followed exactly the instructions of amazon. If I post the certificate.pem in the developer form, I don’t get the green hook. It’s just gray. And if I click somewhere else and then back to the SSL tab, my cert is not listed anymore. My raspberry is behind a router with dnat. For the name I’m using a ddns.net account. It’s strange, because the skill test in the developer form works just fine.

  2. The SSL Certificate checkmark in my case is gray too, and the certificate is not shown just like in your case, but it is still working.

      1. do we have working version example of alexa with https : ??? I see above comments and not sure whether it worked or not… Martin

  3. It works for me, and I have a Smart Home Skill that works perfect with a self-signed certificate, working for several months now.

Leave a Reply