(For IoT only) Obtain and import a code-signing certificate - AWS Signer

(For IoT only) Obtain and import a code-signing certificate

Before you can use AWS Signer with AWS IoT Device Management or Amazon FreeRTOS, you must have or obtain a code-signing certificate. Code-signing certificates typically contain a Digital Signature value in the Key Usage extension and a Code Signing value in the Extended Key Usage extension.

Note

This requirement applies only to IoT signing. It is not necessary for Lambda signing.

Certificate: Data: Version: 3 (0x2) Serial Number: 4111 (0x100f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=Example Company, OU=Corp, CN=www.example.com/emailAddress=corp@www.example.com Validity Not Before: Nov 14 17:32:30 2017 GMT Not After : Nov 14 17:32:30 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=Example Company, OU=corp, CN=www.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:96:8f:64:1a:4d:5c:cc:e4:50:a9:19:f3:c1: 03:8f:1a:db:f5:15:18:65:fb:6e:3f:84:ae:02:9e: a2:e1:62:40:05:10:b6:35:59:63:c7:b3:17:4a:e1: 12:9f:29:42:e4:2b:bb:83:db:b1:cd:42:83:0a:9f: 70:ca:81:6a:9b:58:1d:4e:a0:69:04:bc:0b:f4:7e: 34:fc:af:79:f1:31:6c:7e:a5:eb:b1:85:9e:5e:ef: df:34:7c:aa:13:01:f5:cc:ee:a1:9c:d9:4d:17:e8: c8:8b:d0:77:2e:80:3f:7e:41:ea:84:2f:11:22:59: bd:fa:90:eb:26:ec:e7:b2:0e:9d:ce:b5:8a:a0:b9: 17:4c:8b:3a:b5:28:61:eb:d3:a6:ed:db:5c:26:e6: 7d:af:33:b6:9f:f0:9d:fb:fc:10:e0:52:cb:60:5c: 08:c3:33:4a:b4:8a:4e:3a:54:4e:43:3d:b9:f2:5e: 4e:89:95:c2:a5:df:88:a2:24:71:d3:ee:b3:ef:0b: 18:1d:55:54:16:ff:9b:95:6e:ae:71:d3:f2:d1:7e: f2:8b:67:34:f8:11:fe:ab:8f:6b:88:c3:b9:8e:1d: 07:bc:62:27:45:7e:0c:a0:7b:ef:bf:26:f8:50:df: ac:d8:8f:a5:ed:fe:9f:ee:20:dc:a6:33:3e:94:25: ce:67 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 22:93:86:26:D3:1B:32:1C:79:1B:5C:E4:EB:2A:6A:DB:77:87:D7:FB X509v3 Authority Key Identifier: keyid:0D:CE:76:F2:E3:3B:93:2D:36:05:41:41:16:36:C8:82:BC:CB:F8:A0 X509v3 Key Usage: Digital Signature X509v3 Extended Key Usage: Code Signing Signature Algorithm: sha256WithRSAEncryption 38:41:ba:c3:f0:88:97:3e:a1:0f:e3:d4:55:d6:d0:a2:4e:ac: da:83:67:27:49:23:88:9b:20:e1:e1:b7:55:78:3c:5a:9b:7a: 75:ee:3a:0f:ed:20:4e:23:31:29:ac:07:91:61:f1:86:75:08: fa:f5:3c:4a:7b:79:3c:39:a5:45:97:10:5c:f4:a0:04:af:e8: 5b:ca:d1:a5:ce:14:dc:14:c6:54:b1:ba:6a:2c:52:2c:2f:07: 52:8a:a7:00:97:c7:ee:65:bb:df:36:7f:53:d0:7d:a4:6e:ba: bb:d2:d4:b5:25:bb:b1:0d:bd:91:10:28:e1:34:df:79:01:78: 45:4e
Important

We recommend that you purchase a code-signing certificate from a company with a good reputation for security. Do not use a self-signed certificate for any purpose other than testing.

After you have obtained the certificate, you must import it into AWS Certificate Manager (ACM). ACM returns an Amazon Resource Name (ARN) for the certificate. You must use the ARN when you call the StartSigningJob action. For more information about importing, see Importing Certificates in the AWS Certificate Manager User Guide.