TransferCertificate - Amazon IoT
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

TransferCertificate

Transfers the specified certificate to the specified Amazon Web Services account.

Requires permission to access the TransferCertificate action.

You can cancel the transfer until it is accepted by the recipient.

No notification is sent to the transfer destination's account. The caller is responsible for notifying the transfer target.

The certificate being transferred must not be in the ACTIVE state. You can use the UpdateCertificate action to deactivate it.

The certificate must not have any policies attached to it. You can use the DetachPolicy action to detach them.

Customer managed key behavior: When you use a customer managed key to encrypt your data and then transfer the certificate to a customer in a different account using the TransferCertificate operation, the certificates will no longer be encrypted by their customer managed key configuration. During the transfer process, certificates are encrypted using Amazon IoT Core owned keys.

While a certificate is in the PENDING_TRANSFER state, it's always protected by Amazon IoT Core owned keys, regardless of the customer managed key configuration of either the source or destination account.

Once the transfer is completed through AcceptCertificateTransfer, RejectCertificateTransfer, or CancelCertificateTransfer, the certificate will be protected by the customer managed key configuration of the account that owns the certificate after the transfer operation:

  • If the transfer is accepted: The certificate is encrypted by the target account's customer managed key configuration.

  • If the transfer is rejected or cancelled: The certificate is protected by the source account's customer managed key configuration.

Request Syntax

PATCH /transfer-certificate/certificateId?targetAwsAccount=targetAwsAccount HTTP/1.1 Content-type: application/json { "transferMessage": "string" }

URI Request Parameters

The request uses the following URI parameters.

certificateId

The ID of the certificate. (The last part of the certificate ARN contains the certificate ID.)

Length Constraints: Fixed length of 64.

Pattern: (0x)?[a-fA-F0-9]+

Required: Yes

targetAwsAccount

The Amazon Web Services account.

Length Constraints: Fixed length of 12.

Pattern: [0-9]+

Required: Yes

Request Body

The request accepts the following data in JSON format.

transferMessage

The transfer message.

Type: String

Length Constraints: Maximum length of 128.

Pattern: [\s\S]*

Required: No

Response Syntax

HTTP/1.1 200 Content-type: application/json { "transferredCertificateArn": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

transferredCertificateArn

The ARN of the certificate.

Type: String

Errors

CertificateStateException

The certificate operation is not allowed.

HTTP Status Code: 406

InternalFailureException

An unexpected error has occurred.

HTTP Status Code: 500

InvalidRequestException

The request is not valid.

HTTP Status Code: 400

ResourceNotFoundException

The specified resource does not exist.

HTTP Status Code: 404

ServiceUnavailableException

The service is temporarily unavailable.

HTTP Status Code: 503

ThrottlingException

The rate exceeds the limit.

HTTP Status Code: 400

TransferConflictException

You can't transfer the certificate because authorization policies are still attached.

HTTP Status Code: 409

UnauthorizedException

You are not authorized to perform this operation.

HTTP Status Code: 401

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: