Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
6 – Manage device certificate lifecycles - IoT Lens Checklist

6 – Manage device certificate lifecycles

PDFRSS

How do you manage device certificates, including installation, validation, revocation, and rotation? To protect and encrypt data in transit from an IoT device to the cloud, most IoT broker supports TLS-based mutual authentication using X.509 certificates. Device makers must provision a unique identity, including a unique private key and X.509 certificate, into each device. Certificates are long-lived credentials and managed using a customer-owned Certificate Authority (CA), a third party CA or AWS IoT CA. Any hosted CA chosen must provide you the ability to validate, activate, deactivate, and rotate certificates.

Follow the best practices and check if your workload is well-architected.

ID Priority Best Practice
BP 6.1 Required Perform certificate lifecycle management

For more details, see the following links and information.

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.