Managing public key certificates - AWS Snowball Edge Developer Guide

Managing public key certificates

You can securely interact with AWS services running on a Snowball Edge device or a cluster of Snowball Edge devices through the HTTPS protocol by providing a public key certificate. You can use the HTTPS protocol to interact with AWS services such as IAM, Amazon EC2, S3 adapter, Amazon S3 compatible storage on Snow Family devices, Amazon EC2 Systems Manager, and AWS STS on Snowball Edge devices. In the case of a cluster of devices, a single certificate is required and can be generated by any device in the cluster. Once a Snowball Edge device generates the certificate and you unlock the device, you can use Snowball Edge client commands to list, get, and delete the certificate.

A Snowball Edge device generates a certificate when the following events occur:

  • The Snowball Edge device or cluster is unlocked for the first time.

  • The Snowball Edge device or cluster is unlocked after deleting the certificate (using the delete-certificate command or Renew certificate in AWS OpsHub).

  • The Snowball Edge device or cluster is rebooted and unlocked after the certificate expires.

Whenever a new certificate is generated, the old certificate is no longer valid. A certificate is valid for a period of one year from the day it was generated.

You can also use AWS OpsHub for Snow Family to manage public key certificates. For more information, see Managing public key certificates using OpsHub in this guide.

Listing the certificate

Use the list-certificates command to see the Amazon Resource Names (ARNs) for the current certificate.

snowballEdge list-certificates
Example of list-certificates output
{ "Certificates" : [ { "CertificateArn" : "arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7", "SubjectAlternativeNames" : [ "" ] } ] }

Getting certificates

Use the get-certificate command to see the content of the certificate based on the ARN provided. Use the list-certificates command to obtain the ARN of the certificate to use as the certificate-arn parameter.

snowballEdge get-certificate --certificate-arn arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7
Example of get-certificate output
-----BEGIN CERTIFICATE----- Certificate -----END CERTIFICATE-----

For information about configuring your certificate, see Specifying the S3 adapter as the AWS CLI endpoint.

Deleting certificates

Use the delete-certificate command to delete the current certificate. Use the list-certificates command to obtain the ARN of the certificate to use as the certificate-arn parameter. To generate a new certificate, reboot the Snowball Edge or each Snowball Edge in a cluster. See Rebooting the Snow Family device or use the snowballEdge reboot-device command.

snowballEdge delete-certificate --certificate-arn arn:aws:snowball-device:::certificate/78EXAMPLE516EXAMPLEf538EXAMPLEa7
Example of delete-certificate output
The certificate has been deleted from your Snow device. Please reboot your Snowball Edge or Snowball Edge cluster to generate a new certificate.