Revoked device certificate still active - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Revoked device certificate still active

A revoked device certificate is still active.


Severity: Medium


A device certificate is in its CA's certificate revocation list, but it is still active in Amazon IoT.

This check applies to device certificates that are ACTIVE or PENDING_TRANSFER.

The following reason codes are returned when this check finds noncompliance:


Why it matters

A device certificate is usually revoked because it has been compromised. It is possible that it has not yet been revoked in Amazon IoT due to an error or oversight.

How to fix it

Verify that the device certificate has not been compromised. If it has, follow your security best practices to mitigate the situation. You might want to:

  1. Provision a new certificate for the device.

  2. Verify that the new certificate is valid and the device is able to use it to connect.

  3. Use UpdateCertificate to mark the old certificate as REVOKED in Amazon IoT. You can also use mitigation actions to:

    • Apply the UPDATE_DEVICE_CERTIFICATE mitigation action on your audit findings to make this change.

    • Apply the ADD_THINGS_TO_THING_GROUP mitigation action to add the device to a group where you can take action on it.

    • Apply the PUBLISH_FINDINGS_TO_SNS mitigation action if you want to implement a custom response in response to the Amazon SNS message.

    For more information, see Mitigation actions.

  4. Detach the old certificate from the device. (See DetachThingPrincipal.)