Developer Guide

X.509 Certificates and AWS IoT

AWS IoT can use AWS IoT-generated certificates or certificates signed by a CA certificate for device authentication. Certificates generated by AWS IoT do not expire. The expiry date and time for certificates signed by a CA certificate are set when the certificate is created.


We recommend that each device be given a unique certificate to enable fine-grained management including certificate revocation.


Devices must support rotation and replacement of certificates in order to ensure smooth operation as certificates expire.

To use a certificate that is not created by AWS IoT, you must register a CA certificate. All device certificates must be signed by the CA certificate you register.

You can use the AWS IoT console or CLI to perform the following operations:

  • Create and register an AWS IoT certificate.

  • Register a CA certificate.

  • Register a device certificate.

  • Activate or deactivate a device certificate.

  • Revoke a device certificate.

  • Transfer a device certificate to another AWS account.

  • List all CA certificates registered to your AWS account.

  • List all device certificates registered to your AWS account.

For more information about the CLI commands to use to perform these operations, see AWS IoT CLI Reference.

For more information about using the AWS IoT console to create certificates, see Create and Activate a Device Certificate.

Server Authentication

Device certificates allow AWS IoT to authenticate devices. To make sure your device is communicating with AWS IoT and not another server impersonating AWS IoT, copy the VeriSign Class 3 Public Primary G5 root CA certificate onto your device.


This CA certificate is valid until July 2036, but the CA certificate may need to be replaced before then. You should ensure that you can update the root CA certificate on all of your devices to ensure ongoing connectivity and to keep up to date with security best practices.

Reference the CA root certificate in your device code when you connect to AWS IoT. For more information, see the AWS IoT Device SDKs.


You cannot use your own CA certificate to authenticate the AWS IoT server. You must use the VeriSign Class 3 Public Primary G5 root CA certificate.

On this page: