Menu
AWS IoT
Developer Guide

CreateCertificateFromCsr

Creates an X.509 certificate using the specified certificate signing request.

Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256 or NIST P-384 curves.

Note: Reusing the same certificate signing request (CSR) results in a distinct certificate.

You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs.

Assuming a set of CSRs are located inside of the directory my-csr-directory:

On Linux and OS X, the command is:

$ ls my-csr-directory/ | xargs -I aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/

This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr AWS CLI command to create a certificate for the corresponding CSR.

The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process:

$ ls my-csr-directory/ | xargs -P 10 -I aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/

On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:

> ls -Name my-csr-directory | % aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/$_

On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:

> forfiles /p my-csr-directory /c "cmd /c aws iot create-certificate-from-csr --certificate-signing-request file://@path"

Request syntax:

POST /certificates?setAsActive=setAsActive Content-type: application/json { "certificateSigningRequest": "string" }

URI Request Parameters:

Name

Type

Req?

Description

setAsActive

SetAsActive

no

Specifies whether the certificate is active.

Request Body Parameters:

Name

Type

Req?

Description

certificateSigningRequest

CertificateSigningRequest

yes

The certificate signing request (CSR).

Response syntax:

Content-type: application/json { "certificateArn": "string", "certificateId": "string", "certificatePem": "string" }

Response Body Parameters:

Name

Type

Req?

Description

certificateArn

CertificateArn

no

The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

certificateId

CertificateId

no

The ID of the certificate. Certificate management operations only take a certificateId.

certificatePem

CertificatePem

no

The certificate data, in PEM format.

Errors:

InvalidRequestException

The contents of the request were invalid. For example, this code is returned when an UpdateJobExecution request contains invalid status details. The message contains details about the error.

HTTP response code: 400

ThrottlingException

The rate exceeds the limit.

HTTP response code: 429

UnauthorizedException

You are not authorized to perform this operation.

HTTP response code: 401

ServiceUnavailableException

The service is temporarily unavailable.

HTTP response code: 503

InternalFailureException

An unexpected error has occurred.

HTTP response code: 500

CLI

Synopsis:

aws iot create-certificate-from-csr \ --certificate-signing-request <value> \ [--set-as-active | --no-set-as-active] \ [--cli-input-json <value>] \ [--generate-cli-skeleton]

cli-input-json format:

{ "certificateSigningRequest": "string", "setAsActive": "boolean" }

cli-input-json fields:

Name

Type

Description

certificateSigningRequest

string

length min:1

The certificate signing request (CSR).

setAsActive

boolean

Specifies whether the certificate is active.

Output:

{ "certificateArn": "string", "certificateId": "string", "certificatePem": "string" }

cli output fields:

Name

Type

Description

certificateArn

string

The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

certificateId

string

length max:64 min:64

pattern: (0x)?[a-fA-F0-9]+

The ID of the certificate. Certificate management operations only take a certificateId.

certificatePem

string

length max:65536 min:1

The certificate data, in PEM format.

On this page: