Deactivate a CA certificate - AWS IoT Core

Deactivate a CA certificate

When a certificate authority (CA) certificate is enabled for automatic client certificate registration, AWS IoT checks the CA certificate used to sign the client certificate to make sure the CA is ACTIVE. If the CA certificate is INACTIVE, AWS IoT doesn't allow the client certificate to be registered.

By setting the CA certificate as INACTIVE, you prevent any new client certificates issued by the CA from being registered automatically.


Any registered client certificates that were signed by the compromised CA certificate continue to work until you explicitly revoke each one of them.

Deactivate a CA certificate (console)

To deactivate a CA certificate using the AWS IoT console

  1. Sign in to the AWS Management Console and open the AWS IoT console.

  2. In the left navigation pane, choose Secure, choose CAs.

  3. In the list of certificate authorities, find the one that you want to deactivate, and open the option menu by using the ellipsis icon.

  4. On the option menu, choose Deactivate.

The certificate authority should show as Inactive in the list.


The AWS IoT console does not provide a way to list the certificates that were signed by the CA you deactivated. For an AWS CLI option to list those certificates, see Deactivate a CA certificate (CLI).

Deactivate a CA certificate (CLI)

The AWS CLI provides the update-ca-certificate command to deactivate a CA certificate.

aws iot update-ca-certificate \ --certificate-id certificateId \ --new-status INACTIVE

Use the list-certificates-by-ca command to get a list of all registered client certificates that were signed by the specified CA. For each client certificate signed by the specified CA certificate, use the update-certificate command to revoke the client certificate to prevent it from being used.

Use the describe-ca-certificate command to see the status of the CA certificate.