You are viewing the documentation for an older major version of the AWS CLI (version 1).

AWS CLI version 2, the latest major version of AWS CLI, is now stable and recommended for general use. To view this page for the AWS CLI version 2, click here. For more information see the AWS CLI version 2 installation instructions and migration guide.

[ aws . iot ]



Registers a CA certificate with Amazon Web Services IoT Core. There is no limit to the number of CA certificates you can register in your Amazon Web Services account. You can register up to 10 CA certificates with the same CA subject field per Amazon Web Services account.

Requires permission to access the RegisterCACertificate action.

See also: AWS API Documentation


--ca-certificate <value>
[--verification-certificate <value>]
[--set-as-active | --no-set-as-active]
[--allow-auto-registration | --no-allow-auto-registration]
[--registration-config <value>]
[--tags <value>]
[--certificate-mode <value>]
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]


--ca-certificate (string)

The CA certificate.

--verification-certificate (string)

The private key verification certificate. If certificateMode is SNI_ONLY , the verificationCertificate field must be empty. If certificateMode is DEFAULT or not provided, the verificationCertificate field must not be empty.

--set-as-active | --no-set-as-active (boolean)

A boolean value that specifies if the CA certificate is set to active.

Valid values: ACTIVE | INACTIVE

--allow-auto-registration | --no-allow-auto-registration (boolean)

Allows this CA certificate to be used for auto registration of device certificates.

--registration-config (structure)

Information about the registration configuration.

templateBody -> (string)

The template body.

roleArn -> (string)

The ARN of the role.

templateName -> (string)

The name of the provisioning template.

Shorthand Syntax:


JSON Syntax:

  "templateBody": "string",
  "roleArn": "string",
  "templateName": "string"

--tags (list)

Metadata which can be used to manage the CA certificate.


For URI Request parameters use format: ...key1=value1&key2=value2...

For the CLI command-line parameter use format: &&tags "key1=value1&key2=value2..."

For the cli-input-json file use format: "tags": "key1=value1&key2=value2..."


A set of key/value pairs that are used to manage the resource.

Key -> (string)

The tag's key.

Value -> (string)

The tag's value.

Shorthand Syntax:

Key=string,Value=string ...

JSON Syntax:

    "Key": "string",
    "Value": "string"

--certificate-mode (string)

Describes the certificate mode in which the Certificate Authority (CA) will be registered. If the verificationCertificate field is not provided, set certificateMode to be SNI_ONLY . If the verificationCertificate field is provided, set certificateMode to be DEFAULT . When certificateMode is not provided, it defaults to DEFAULT . All the device certificates that are registered using this CA will be registered in the same certificate mode as the CA. For more information about certificate mode for device certificates, see certificate mode .

Possible values:


--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command's default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination.

--output (string)

The formatting style for command output.

  • json
  • text
  • table

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.



To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal's quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To register a certificate authority (CA) certificate

The following register-ca-certificate example registers a CA certificate. The command supplies the CA certificate and a key verification certificate that proves you own the private key associated with the CA certificate.

aws iot register-ca-certificate \
    --ca-certificate file://rootCA.pem \
    --verification-cert file://verificationCert.pem


    "certificateArn": "arn:aws:iot:us-west-2:123456789012:cacert/f4efed62c0142f16af278166f61962501165c4f0536295207426460058cd1467",
    "certificateId": "f4efed62c0142f16af278166f61962501165c4f0536295207426460058cd1467"

For more information, see RegisterCACertificate in the AWS IoT API Reference.


certificateArn -> (string)

The CA certificate ARN.

certificateId -> (string)

The CA certificate identifier.