Register a client certificate when the client connects to Amazon IoT just-in-time registration (JITR)
You can configure a CA certificate to enable client certificates it has signed to register with Amazon IoT automatically the first time the client connects to Amazon IoT.
To register client certificates when a client connects to Amazon IoT for the first time, you must enable the CA certificate for automatic registration and configure the first connection by the client to provide the required certificates.
Configure a CA certificate to support automatic registration (console)
To configure a CA certificate to support automatic client certificate registration using the Amazon IoT console
-
Sign in to the Amazon Management Console and open the Amazon IoT console
. -
In the left navigation pane, choose Secure, choose CAs.
-
In the list of certificate authorities, find the one for which you want to enable automatic registration, and open the option menu by using the ellipsis icon.
-
On the option menu, choose Enable auto-registration.
Note
The auto-registration status is not shown in the list of certificate authorities. To see the auto-registration status of a certificate authority, you must open the Details page of the certificate authority.
Configure a CA certificate to support automatic registration (CLI)
If you have already registered your CA certificate with Amazon IoT, use the
update-ca-certificateautoRegistrationStatus
of the CA certificate to
ENABLE
.
aws iot update-ca-certificate \ --certificate-id
caCertificateId
\ --new-auto-registration-status ENABLE
If you want to enable autoRegistrationStatus
when you
register the CA certificate, use the register-ca-certificate
aws iot register-ca-certificate \ --allow-auto-registration \ --ca-certificate file://
root_CA_cert_filename.pem
\ --verification-cert file://verification_cert_filename.pem
Use the describe-ca-certificate
Configure the first connection by a client for automatic registration
When a client attempts to connect to Amazon IoT for the first time, the client certificate signed by your CA certificate must be present on the client during the Transport Layer Security (TLS) handshake.
When the client connects to Amazon IoT, use the client certificate you
created in Create Amazon IoT client certificates or
Create your own client certificates.
Amazon IoT recognizes the CA certificate as a registered CA certificate,
registers the client certificate, and sets its status to
PENDING_ACTIVATION
. This means that the client
certificate was automatically registered and is awaiting activation. The
client certificate's state must be ACTIVE
before it can be
used to connect to Amazon IoT. See Activate or deactivate a
client certificate for information on
activating a client certificate.
Note
You can provision devices using Amazon IoT Core just-in-time
registration (JITR) feature without having to send the entire trust
chain on devices' first connection to Amazon IoT Core. Presenting the CA
certificate is optional but the device is required to send the
Server Name Indication (SNI)
When Amazon IoT automatically registers a certificate or when a client
presents a certificate in the PENDING_ACTIVATION
status,
Amazon IoT publishes a message to the following MQTT topic:
$aws/events/certificates/registered/
caCertificateId
Where
is the
ID of the CA certificate that issued the client certificate.caCertificateId
The message published to this topic has the following structure:
{ "certificateId": "
certificateId
", "caCertificateId": "caCertificateId
", "timestamp":timestamp
, "certificateStatus": "PENDING_ACTIVATION", "awsAccountId": "awsAccountId
", "certificateRegistrationTimestamp": "certificateRegistrationTimestamp
" }
You can create a rule that listens on this topic and performs some
actions. We recommend that you create a Lambda rule that verifies the
client certificate is not on a certificate revocation list (CRL),
activates the certificate, and creates and attaches a policy to the
certificate. The policy determines which resources the client can
access. For more information about how to create a Lambda rule that
listens on the
$aws/events/certificates/registered/
topic and performs these actions, see just-in-time registration of Client Certificates on
Amazon IoTcaCertificateID
If any error or exception occurs during the auto-registration of the client certificates, Amazon IoT sends events or messages to your logs in CloudWatch Logs. For more information about setting up the logs for your account, see the Amazon CloudWatch documentation.