Code Signing for AWS IoT
Developer Guide

Obtain and Import a Code Signing Certificate

Before you can use code signing for AWS IoT, you must have or obtain a code signing certificate. Code signing certificates typically contain a Digital Signature value in the Key Usage extension and a Code Signing value in the Extended Key Usage extension.

Certificate: Data: Version: 3 (0x2) Serial Number: 4111 (0x100f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=Example Company, OU=Corp, CN=www.example.com/emailAddress=corp@www.example.com Validity Not Before: Nov 14 17:32:30 2017 GMT Not After : Nov 14 17:32:30 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=Example Company, OU=corp, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:96:8f:64:1a:4d:5c:cc:e4:50:a9:19:f3:c1: 03:8f:1a:db:f5:15:18:65:fb:6e:3f:84:ae:02:9e: a2:e1:62:40:05:10:b6:35:59:63:c7:b3:17:4a:e1: 12:9f:29:42:e4:2b:bb:83:db:b1:cd:42:83:0a:9f: 70:ca:81:6a:9b:58:1d:4e:a0:69:04:bc:0b:f4:7e: 34:fc:af:79:f1:31:6c:7e:a5:eb:b1:85:9e:5e:ef: df:34:7c:aa:13:01:f5:cc:ee:a1:9c:d9:4d:17:e8: c8:8b:d0:77:2e:80:3f:7e:41:ea:84:2f:11:22:59: bd:fa:90:eb:26:ec:e7:b2:0e:9d:ce:b5:8a:a0:b9: 17:4c:8b:3a:b5:28:61:eb:d3:a6:ed:db:5c:26:e6: 7d:af:33:b6:9f:f0:9d:fb:fc:10:e0:52:cb:60:5c: 08:c3:33:4a:b4:8a:4e:3a:54:4e:43:3d:b9:f2:5e: 4e:89:95:c2:a5:df:88:a2:24:71:d3:ee:b3:ef:0b: 18:1d:55:54:16:ff:9b:95:6e:ae:71:d3:f2:d1:7e: f2:8b:67:34:f8:11:fe:ab:8f:6b:88:c3:b9:8e:1d: 07:bc:62:27:45:7e:0c:a0:7b:ef:bf:26:f8:50:df: ac:d8:8f:a5:ed:fe:9f:ee:20:dc:a6:33:3e:94:25: ce:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 22:93:86:26:D3:1B:32:1C:79:1B:5C:E4:EB:2A:6A:DB:77:87:D7:FB X509v3 Authority Key Identifier: keyid:0D:CE:76:F2:E3:3B:93:2D:36:05:41:41:16:36:C8:82:BC:CB:F8:A0 X509v3 Key Usage: Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption 38:41:ba:c3:f0:88:97:3e:a1:0f:e3:d4:55:d6:d0:a2:4e:ac: da:83:67:27:49:23:88:9b:20:e1:e1:b7:55:78:3c:5a:9b:7a: 75:ee:3a:0f:ed:20:4e:23:31:29:ac:07:91:61:f1:86:75:08: fa:f5:3c:4a:7b:79:3c:39:a5:45:97:10:5c:f4:a0:04:af:e8: 5b:ca:d1:a5:ce:14:dc:14:c6:54:b1:ba:6a:2c:52:2c:2f:07: 52:8a:a7:00:97:c7:ee:65:bb:df:36:7f:53:d0:7d:a4:6e:ba: bb:d2:d4:b5:25:bb:b1:0d:bd:91:10:28:e1:34:df:79:01:78: 45:4e

We recommend that you purchase a code signing certificate from a company with a good reputation for security. Do not use a self-signed certificate for any purpose other than testing.

After you have obtained the certificate, you must import it into AWS Certificate Manager (ACM). ACM returns an Amazon Resource Name (ARN) for the certificate. You must use the ARN when you call the StartSigningJob action. For more information about importing, see Importing Certificates in the AWS Certificate Manager User Guide.