API Reference (API Version 2015-05-28)


Creates an X.509 certificate using the specified certificate signing request.

Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256 or NIST P-384 curves.

Note: Reusing the same certificate signing request (CSR) results in a distinct certificate.

You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs.

Assuming a set of CSRs are located inside of the directory my-csr-directory:

On Linux and OS X, the command is:

$ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{}

This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr AWS CLI command to create a certificate for the corresponding CSR.

The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process:

$ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{}

On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:

> ls -Name my-csr-directory | %{aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/$_}

On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:

> forfiles /p my-csr-directory /c "cmd /c aws iot create-certificate-from-csr --certificate-signing-request file://@path"

Request Syntax

POST /certificates?setAsActive=setAsActive HTTP/1.1 Content-type: application/json { "certificateSigningRequest": "string" }

URI Request Parameters

The request requires the following URI parameters.


Specifies whether the certificate is active.

Request Body

The request accepts the following data in JSON format.


The certificate signing request (CSR).

Type: String

Length Constraints: Minimum length of 1.

Required: Yes

Response Syntax

HTTP/1.1 200 Content-type: application/json { "certificateArn": "string", "certificateId": "string", "certificatePem": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

Type: String


The ID of the certificate. Certificate management operations only take a certificateId.

Type: String

Length Constraints: Fixed length of 64.

Pattern: (0x)?[a-fA-F0-9]+


The certificate data, in PEM format.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 65536.



An unexpected error has occurred.

HTTP Status Code: 500


The request is not valid.

HTTP Status Code: 400


The service is temporarily unavailable.

HTTP Status Code: 503


The rate exceeds the limit.

HTTP Status Code: 429


You are not authorized to perform this operation.

HTTP Status Code: 401

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: