Revoked CA certificate still active - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Revoked CA certificate still active

A CA certificate was revoked, but is still active in Amazon IoT.


Severity: Critical


A CA certificate is marked as revoked in the certificate revocation list maintained by the issuing authority, but is still marked as ACTIVE or PENDING_TRANSFER in Amazon IoT.

The following reason codes are returned when this check finds a noncompliant CA certificate:


Why it matters

A revoked CA certificate should no longer be used to sign device certificates. It might have been revoked because it was compromised. Newly added devices with certificates signed using this CA certificate might pose a security threat.

How to fix it

  1. Use UpdateCACertificate to mark the CA certificate as INACTIVE in Amazon IoT. You can also use mitigation actions to:

    • Apply the UPDATE_CA_CERTIFICATE mitigation action on your audit findings to make this change.

    • Apply the PUBLISH_FINDINGS_TO_SNS mitigation action to implement a custom response in response to the Amazon SNS message.

    For more information, see Mitigation actions.

  2. Review the device certificate registration activity for the time after the CA certificate was revoked and consider revoking any device certificates that might have been issued with it during this time. You can use ListCertificatesByCA to list the device certificates signed by the CA certificate and UpdateCertificate to revoke a device certificate.