Developer Guide

X.509 Certificates and AWS IoT

Client Authentication

AWS IoT can use AWS IoT-generated certificates or certificates signed by a CA certificate for device authentication. Certificates generated by AWS IoT are long-lived (but will expire at 2049-12-31T23:59:59Z, that is at midnight GMT on December 31, 2049.) The expiry date and time for certificates signed by a CA certificate are set when the certificate is created.


We recommend that each device be given a unique certificate to enable fine-grained management including certificate revocation.

Devices must support rotation and replacement of certificates in order to ensure smooth operation as certificates expire.

To use a certificate that is not created by AWS IoT, you must register a CA certificate. All device certificates must be signed by the CA certificate you register.

You can use the AWS IoT console or CLI to perform the following operations:

  • Create and register an AWS IoT certificate.

  • Register a CA certificate.

  • Register a device certificate.

  • Activate or deactivate a device certificate.

  • Revoke a device certificate.

  • Transfer a device certificate to another AWS account.

  • List all CA certificates registered to your AWS account.

  • List all device certificates registered to your AWS account.

For more information about the CLI commands to use to perform these operations, see AWS IoT CLI Reference.

For more information about using the AWS IoT console to create certificates, see Create and Activate a Device Certificate.

Server Authentication

Server certificates allow your devices to verify that they're communicating with AWS IoT and not another server impersonating AWS IoT. Service certificates need to be copied onto your device and referenced when connecting to AWS IoT. For more information, see the AWS IoT Device SDKs. AWS IoT server certificates are signed by one of the following CA certificates:

VeriSign Endpoints (legacy)

Amazon Trust Services Endpoints (preferred)

We recommend that all customers create an Amazon Trust Services (ATS) endpoint and load these CA certificates onto their devices to avoid any issues with the widespread distrust by browsers of Symantec CAs (including VeriSign) that occurred in October 2018. For backward-compatibility reasons, we still support customers using these endpoints. Customers can create an ATS endpoint by calling the describe-endpoint API with the iot:Data-ATS endpointType. Devices operating on ATS endpoints are fully interoperable with devices operating on Symantec endpoints in the same account and do not require any reregistration.

aws iot describe-endpoint --endpoint-type iot:Data-ATS

Storing all of these certificates on your device can take up valuable memory space. If your devices implement RSA-based validation, you can omit the Amazon Root CA 3 and Amazon Root CA 4 ECC certificates. If your devices implement ECC-based certificate validation, you can omit the Amazon Root CA 1 and Amazon Root CA 2 RSA certificates.

All new AWS IoT Core regions, beginning with the May 9, 2018 launch of AWS IoT Core in the Asia Pacific (Mumbai) Region, will serve only ATS certificates.


CA certificates have an expiration date after which they cannot be used to validate a server's certificate. CA certificates might have to be replaced before their expiration date. Make sure that you can update the root CA certificates on all of your devices to ensure ongoing connectivity and to keep up-to-date with security best practices.

For a complete list of CA certificates used by AWS IoT see, Amazon Trust Services.