Intermediate CA revoked for active device certificates check - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Intermediate CA revoked for active device certificates check

Use this check to identify all related device certificates that are still active despite revoking an intermediate CA.


Severity: Critical


The following reason codes are returned when this check finds noncompliance:


Why it matters

The intermediate CA revoked for active device certificates check assess device identity and trust, by determining if there are active device certificates in Amazon IoT Core where the intermediate issuing CAs have been revoked in the CA chain.

A revoked intermediate CA should no longer be used to sign any other CA or device certificates in CA chain. Newly added devices with certificates signed using this CA certificate after the intermediate CA is revoked will pose a security threat.

How to fix it

Review the device certificate registration activity for the time after the CA certificate was revoked. Follow your security best practices to mitigate the situation. You might want to:

  1. Provision new certificates, that are signed by a different CA, for the affected devices.

  2. Verify that the new certificates are valid, and that the devices can use them to connect.

  3. Use UpdateCertificate to mark the old certificate as REVOKED in Amazon IoT. You can also use mitigation actions to:

    • Apply the UPDATE_DEVICE_CERTIFICATE mitigation action on your audit findings to make this change.

    • Apply the ADD_THINGS_TO_THING_GROUP mitigation action to add the device to a group where you can take action on it.

    • Apply the PUBLISH_FINDINGS_TO_SNS mitigation action if you want to implement a custom response in response to the Amazon SNS message.

    • Review the device certificate registration activity for the time after the intermediate CA certificate was revoked and consider revoking any device certificates that might have been issued with it during this time. You can use ListRelatedResourcesForAuditFinding to list the device certificates signed by the CA certificate and UpdateCertificate to revoke a device certificate.

    • Detach the old certificate from the device. (See DetachThingPrincipal.)

    For more information, see Mitigation actions.