Device certificate expiring - AWS IoT Device Defender

Device certificate expiring

A device certificate is expiring within 30 days or has expired.

This check appears as DEVICE_CERTIFICATE_EXPIRING_CHECK in the CLI and API.

Severity: Medium


This check applies to device certificates that are ACTIVE or PENDING_TRANSFER.

The following reason codes are returned when this check finds a noncompliant device certificate:



Why it matters

A device certificate should not be used after it expires.

How to fix it

Consult your security best practices for how to proceed. You might want to:

  1. Provision a new certificate and attach it to the device.

  2. Verify that the new certificate is valid and the device is able to use it to connect.

  3. Use UpdateCertificate to mark the old certificate as INACTIVE in AWS IoT. You can also use mitigation actions to:

    • Apply the UPDATE_DEVICE_CERTIFICATE mitigation action on your audit findings to make this change.

    • Apply the ADD_THINGS_TO_THING_GROUP mitigation action to add the device to a group where you can take action on it.

    • Apply the PUBLISH_FINDINGS_TO_SNS mitigation action if you want to implement a custom response in response to the Amazon SNS message.

    For more information, see Mitigation actions.

  4. Detach the old certificate from the device. (See DetachThingPrincipal.)