Register your CA certificate
These procedures describe how to register a certificate from a certificate authority (CA) that's not Amazon's CA. AWS IoT Core uses CA certificates to verify the ownership of certificates. To use device certificates signed by a CA that's not Amazon's CA, you must register the CA certificate with AWS IoT Core so that it can verify the device certificate's ownership.
Note
To register a CA certificate in the console, start in the
console at Register CA
certificate
You can register a CA certificate in DEFAULT mode
or SNI_ONLY mode. A CA can be registered in
DEFAULT mode by one AWS account in one
AWS Region. A CA can be registered in SNI_ONLY
mode by multiple AWS accounts in the same AWS Region. For
more information about CA certificate mode, see certificateMode.
Note
We recommend that you register a CA in SNI_ONLY
mode. You don't need to provide a verification certificate or
access to the private key, and you can register the CA by
multiple AWS accounts in the same AWS Region.
Register a CA certificate in SNI_ONLY mode (CLI) - Recommended
Prerequisites
Make sure you have the following available on your computer before you continue:
-
The root CA's certificate file (referenced in the following example as
root_CA_cert_filename.pem -
OpenSSL v1.1.1i
or later
To register a CA certificate in SNI_ONLY
mode using the AWS CLI
-
Register the CA certificate with AWS IoT. Using the register-ca-certificate command, enter the CA certificate file name. For more information, see register-ca-certificate
in the AWS CLI Command Reference. aws iot register-ca-certificate \ --ca-certificate file://root_CA_cert_filename.pem\ --certificate-modeSNI_ONLYIf successful, this command returns the
certificateId. -
At this point, the CA certificate has been registered with AWS IoT but is inactive. The CA certificate must be active before you can register any client certificates that it has signed.
This step activates the CA certificate.
To activate the CA certificate, use the update-certificate command as follows. For more information, see update-certificate
in the AWS CLI Command Reference. aws iot update-ca-certificate \ --certificate-idcertificateId\ --new-status ACTIVE
To see the status of the CA certificate, use the
describe-ca-certificate command. For
more information, see describe-ca-certificate
Register a CA
certificate in DEFAULT mode (CLI)
Prerequisites
Make sure you have the following available on your computer before you continue:
-
The root CA's certificate file (referenced in the following example as
root_CA_cert_filename.pem -
The root CA certificate's private key file (referenced in the following example as
root_CA_key_filename.key -
OpenSSL v1.1.1i
or later
To register a CA certificate in DEFAULT
mode using the AWS CLI
-
To get a registration code from AWS IoT, use get-registration-code. Save the returned
registrationCodeto use as theCommon Nameof the private key verification certificate. For more information, see get-registration-codein the AWS CLI Command Reference. aws iot get-registration-code -
Generate a key pair for the private key verification certificate:
openssl genrsa -outverification_cert_key_filename.key2048 -
Create a certificate signing request (CSR) for the private key verification certificate. Set the
Common Namefield of the certificate to theregistrationCodereturned by get-registration-code.openssl req -new \ -keyverification_cert_key_filename.key\ -outverification_cert_csr_filename.csrYou are prompted for some information, including the
Common Namefor the certificate.You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) []: Locality Name (for example, city) []: Organization Name (for example, company) []: Organizational Unit Name (for example, section) []: Common Name (e.g. server FQDN or YOUR name) []:your_registration_codeEmail Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -
Use the CSR to create a private key verification certificate:
openssl x509 -req \ -inverification_cert_csr_filename.csr\ -CAroot_CA_cert_filename.pem\ -CAkeyroot_CA_key_filename.key\ -CAcreateserial \ -outverification_cert_filename.pem\ -days 500 -sha256 -
Register the CA certificate with AWS IoT. Pass in the CA certificate file name and the private key verification certificate file name to the register-ca-certificate command, as follows. For more information, see register-ca-certificate
in the AWS CLI Command Reference. aws iot register-ca-certificate \ --ca-certificate file://root_CA_cert_filename.pem\ --verification-cert file://verification_cert_filename.pemThis command returns the
certificateId, if successful. -
At this point, the CA certificate has been registered with AWS IoT but is not active. The CA certificate must be active before you can register any client certificates it has signed.
This step activates the CA certificate.
To activate the CA certificate, use the update-certificate command as follows. For more information, see update-certificate
in the AWS CLI Command Reference. aws iot update-ca-certificate \ --certificate-idcertificateId\ --new-status ACTIVE
To see the status of the CA certificate, use the
describe-ca-certificate command. For
more information, see describe-ca-certificate
