Developer Guide

X.509 Certificates and AWS IoT

AWS IoT can use AWS IoT-generated certificates or certificates signed by a CA certificate for device authentication. Certificates generated by AWS IoT are long-lived (but will expire at 2049-12-31T23:59:59Z, that is at midnight GMT on December 31, 2049.) The expiry date and time for certificates signed by a CA certificate are set when the certificate is created.


We recommend that each device be given a unique certificate to enable fine-grained management including certificate revocation.

Devices must support rotation and replacement of certificates in order to ensure smooth operation as certificates expire.

To use a certificate that is not created by AWS IoT, you must register a CA certificate. All device certificates must be signed by the CA certificate you register.

You can use the AWS IoT console or CLI to perform the following operations:

  • Create and register an AWS IoT certificate.

  • Register a CA certificate.

  • Register a device certificate.

  • Activate or deactivate a device certificate.

  • Revoke a device certificate.

  • Transfer a device certificate to another AWS account.

  • List all CA certificates registered to your AWS account.

  • List all device certificates registered to your AWS account.

For more information about the CLI commands to use to perform these operations, see AWS IoT CLI Reference.

For more information about using the AWS IoT console to create certificates, see Create and Activate a Device Certificate.

Server Authentication

Server certificates allow your devices to verify that they're communicating with AWS IoT and not another server impersonating AWS IoT. AWS IoT server certificates are signed by one of the following CA certificates:

In order for your devices to validate the AWS IoT server certificate we recommend installing all of the CA certificates listed above on your devices.

Storing all of these certificates on your device can take up valuable memory space. If your devices implement RSA-based validation, you can omit the Amazon Root CA 3 and Amazon Root CA 4 ECC certificates. If your devices implement ECC-based certificate validation, you can omit the Amazon Root CA 1 and Amazon Root CA 2 RSA certificates.

You will need to include the VeriSign Class 3 Public Primary G5 root CA certificate regardless of the type of certificate validation your devices use.


CA certificates have an expiration date after which they cannot be used to validate a server's certificate. CA certificates might have to be replaced before their expiration date. Make sure that you can update the root CA certificates on all of your devices to ensure ongoing connectivity and to keep up-to-date with security best practices.

Reference the CA root certificate in your device code when you connect to AWS IoT. For more information, see the AWS IoT Device SDKs.

On this page: