CreateKeysAndCertificate - AWS IoT


Creates a 2048-bit RSA key pair and issues an X.509 certificate using the issued public key. You can also call CreateKeysAndCertificate over MQTT from a device, for more information, see Provisioning MQTT API.

Note This is the only time AWS IoT issues the private key for this certificate, so it is important to keep it in a secure location.

Requires permission to access the CreateKeysAndCertificate action.

Request Syntax

POST /keys-and-certificate?setAsActive=setAsActive HTTP/1.1

URI Request Parameters

The request uses the following URI parameters.


Specifies whether the certificate is active.

Request Body

The request does not have a request body.

Response Syntax

HTTP/1.1 200 Content-type: application/json { "certificateArn": "string", "certificateId": "string", "certificatePem": "string", "keyPair": { "PrivateKey": "string", "PublicKey": "string" } }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


The ARN of the certificate.

Type: String


The ID of the certificate. AWS IoT issues a default subject name for the certificate (for example, AWS IoT Certificate).

Type: String

Length Constraints: Fixed length of 64.

Pattern: (0x)?[a-fA-F0-9]+


The certificate data, in PEM format.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 65536.

Pattern: [\s\S]*


The generated key pair.

Type: KeyPair object



An unexpected error has occurred.

HTTP Status Code: 500


The request is not valid.

HTTP Status Code: 400


The service is temporarily unavailable.

HTTP Status Code: 503


The rate exceeds the limit.

HTTP Status Code: 400


You are not authorized to perform this operation.

HTTP Status Code: 401

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: