Server authentication - AWS IoT Core
Endpoint typesCA certificates for server authenticationServer authentication guidelines

Server authentication

When your device or other client attempts to connect to AWS IoT Core, the AWS IoT Core server will send an X.509 certificate that your device uses to authenticate the server. Authentication takes place at the TLS layer through validation of the X.509 certificate chain. This is the same method used by your browser when you visit an HTTPS URL. If you want to use certificates from your own certificate authority, see Manage your CA certificates.

When your devices or other clients establish a TLS connection to an AWS IoT Core endpoint, AWS IoT Core presents a certificate chain that the devices use to verify that they're communicating with AWS IoT Core and not another server impersonating AWS IoT Core. The chain that is presented depends on a combination of the type of endpoint the device is connecting to and the cipher suite that the client and AWS IoT Core negotiated during the TLS handshake.

Endpoint types

AWS IoT Core supports two different data endpoint types, iot:Data and iot:Data-ATS. iot:Data endpoints present a certificate signed by the VeriSign Class 3 Public Primary G5 root CA certificate. iot:Data-ATS endpoints present a server certificate signed by an Amazon Trust Services CA.

Certificates presented by ATS endpoints are cross signed by Starfield. Some TLS client implementations require validation of the root of trust and require that the Starfield CA certificates are installed in the client's trust stores.

Warning

Using a method of certificate pinning that hashes the whole certificate (including the issuer name, and so on) is not recommended because this will cause certificate verification to fail because the ATS certificates we provide are cross signed by Starfield and have a different issuer name.

Important

Use iot:Data-ATS endpoints unless your device requires Symantec or Verisign CA certificates. Symantec and Verisign certificates have been deprecated and are no longer supported by most web browsers.

You can use the describe-endpoint command to create your ATS endpoint.

aws iot describe-endpoint --endpoint-type iot:Data-ATS

The describe-endpoint command returns an endpoint in the following format.

account-specific-prefix.iot.your-region.amazonaws.com
Note

The first time describe-endpoint is called, an endpoint is created. All subsequent calls to describe-endpoint return the same endpoint.

For backward-compatibility, AWS IoT Core still supports Symantec endpoints. For more information, see How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities. Devices operating on ATS endpoints are fully interoperable with devices operating on Symantec endpoints in the same account and do not require any re-registration.

Note

To see your iot:Data-ATS endpoint in the AWS IoT Core console, choose Settings. The console displays only the iot:Data-ATS endpoint. By default, the describe-endpoint command displays the iot:Data endpoint for backward compatibility. To see the iot:Data-ATS endpoint, specify the --endpointType parameter, as in the previous example.

Creating an IotDataPlaneClient with the AWS SDK for Java

By default, the AWS SDK for Java - Version 2 creates an IotDataPlaneClient by using an iot:Data endpoint. To create a client that uses an iot:Data-ATS endpoint, you must do the following.

  • Create an iot:Data-ATS endpoint by using the DescribeEndpoint API.

  • Specify that endpoint when you create the IotDataPlaneClient.

The following example performs both of these operations.

public void setup() throws Exception {
        IotClient client = IotClient.builder().credentialsProvider(CREDENTIALS_PROVIDER_CHAIN).region(Region.US_EAST_1).build();
        String endpoint = client.describeEndpoint(r -> r.endpointType("iot:Data-ATS")).endpointAddress();
        iot = IotDataPlaneClient.builder()
                                .credentialsProvider(CREDENTIALS_PROVIDER_CHAIN)
                                .endpointOverride(URI.create("https://" + endpoint))
                                .region(Region.US_EAST_1)
                                .build();
}

CA certificates for server authentication

Depending on which type of data endpoint you are using and which cipher suite you have negotiated, AWS IoT Core server authentication certificates are signed by one of the following root CA certificates:

Amazon Trust Services Endpoints (preferred)

Note

You might need to right click these links and select Save link as... to save these certificates as files.

  • RSA 2048 bit key: Amazon Root CA 1.

  • RSA 4096 bit key: Amazon Root CA 2. Reserved for future use.

  • ECC 256 bit key: Amazon Root CA 3.

  • ECC 384 bit key: Amazon Root CA 4. Reserved for future use.

These certificates are all cross-signed by the Starfield Root CA Certificate. All new AWS IoT Core regions, beginning with the May 9, 2018 launch of AWS IoT Core in the Asia Pacific (Mumbai) Region, serve only ATS certificates.

VeriSign Endpoints (legacy)

Server authentication guidelines

There are many variables that can affect a device's ability to validate the AWS IoT Core server authentication certificate. For example, devices may be too memory constrained to hold all possible root CA certificates, or devices may implement a non-standard method of certificate validation. For these reasons we suggest following these guidelines:

Note

CA certificates have an expiration date after which they cannot be used to validate a server's certificate. CA certificates might have to be replaced before their expiration date. Make sure that you can update the root CA certificates on all of your devices or clients to help ensure ongoing connectivity and to keep up to date with security best practices.

Note

When connecting to AWS IoT Core in your device code, pass the certificate into the API you are using to connect. The API you use will vary by SDK. For more information, see the AWS IoT Core Device SDKs.