Create a CA certificate

If you do not have a CA certificate, you can use OpenSSL v1.1.1i tools to create one.

You can't perform this procedure in the AWS IoT console.

Generate a key pair.


openssl genrsa -out root_CA_key_filename.key 2048

Use the private key from the key pair to generate a CA certificate.


openssl req -x509 -new -nodes \
    -key root_CA_key_filename.key \
    -sha256 -days 1024 \
    -out root_CA_cert_filename.pem

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Manage your CA certificates