CA certificate expiring

A CA certificate is expiring within 30 days or has expired.

This check appears as CA_CERTIFICATE_EXPIRING_CHECK in the CLI and API.

Severity: Medium

Details

This check applies to CA certificates that are ACTIVE or PENDING_TRANSFER.

The following reason codes are returned when this check finds a noncompliant CA certificate:

An expired CA certificate should not be used to sign new device certificates.

Consult your security best practices for how to proceed. You might want to:

Register a new CA certificate with AWS IoT.
Verify that you are able to sign device certificates using the new CA certificate.
Use UpdateCACertificate to mark the old CA certificate as INACTIVE in AWS IoT. You can also use mitigation actions to do the following:
- Apply the UPDATE_CA_CERTIFICATE mitigation action on your audit findings to make this change.
- Apply the PUBLISH_FINDINGS_TO_SNS mitigation action if you want to implement a custom response in response to the Amazon SNS message.
For more information, see Mitigation actions.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Role alias allows access to unused services

Conflicting MQTT client IDs