Developer Guide

Just-in-Time Provisioning

You can have your devices provisioned when they first attempt to connect to AWS IoT. Just-in-time provisioning (JITP) settings are made on CA certificates. You must enable automatic registration and associate a provisioning template with the CA certificate used to sign the device certificate you are using to provision the device.

You can make these settings when registering a new CA certificate with the RegisterCACertificate API or the register-ca-certificate CLI command:

aws iot register-ca-certificate --ca-certificate <your-ca-cert> --verification-cert <your-verification-cert> --set-as-active --allow-auto-registration --registration-config <your-template>

For more information, see Registering a CA certificate.

You can also use the UpdateCACertificate API or the update-ca-certificate CLI command to update the settings for a CA certificate:

$ aws iot update-ca-certificate --cert-id <caCertificateId> --new-auto-registration-status ENABLE --registration-config <your-template>

When a device attempts to connect to AWS IoT by using a certificate signed by a registered CA certificate, AWS IoT loads the template from the CA certificate and calls RegisterThing using the template.

AWS IoT defines the following parameters that you can declare and reference within provisioning templates:

  • AWS::IoT::Certificate::Country

  • AWS::IoT::Certificate::Organization

  • AWS::IoT::Certificate::OrganizationalUnit

  • AWS::IoT::Certificate::DistinguishedNameQualifier

  • AWS::IoT::Certificate::StateName

  • AWS::IoT::Certificate::CommonName

  • AWS::IoT::Certificate::SerialNumber

  • AWS::IoT::Certificate::Id

The values for these provisioning template parameters are extracted from the certificate of the device being provisioned.