Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Register a client certificate when the client connects to Amazon IoT just-in-time registration (JITR)

You can configure a CA certificate to enable client certificates it has signed to register with Amazon IoT automatically the first time the client connects to Amazon IoT.

To register client certificates when a client connects to Amazon IoT for the first time, you must enable the CA certificate for automatic registration and configure the first connection by the client to provide the required certificates.

Configure a CA certificate to support automatic registration (console)

Configure a CA certificate to support automatic registration (CLI)

If you have already registered your CA certificate with Amazon IoT, use the update-ca-certificate command to set autoRegistrationStatus of the CA certificate to ENABLE.

aws iot update-ca-certificate \
--certificate-id caCertificateId \
--new-auto-registration-status ENABLE

If you want to enable autoRegistrationStatus when you register the CA certificate, use the register-ca-certificate command.

aws iot register-ca-certificate \
--allow-auto-registration  \
--ca-certificate file://root_CA_cert_filename.pem \
--verification-cert file://verification_cert_filename.pem

Use the describe-ca-certificate command to see the status of the CA certificate.

Configure the first connection by a client for automatic registration

When a client attempts to connect to Amazon IoT for the first time, the client certificate signed by your CA certificate must be present on the client during the Transport Layer Security (TLS) handshake.

When the client connects to Amazon IoT, use the client certificate you created in Create Amazon IoT client certificates or Create your own client certificates. Amazon IoT recognizes the CA certificate as a registered CA certificate, registers the client certificate, and sets its status to PENDING_ACTIVATION. This means that the client certificate was automatically registered and is awaiting activation. The client certificate's state must be ACTIVE before it can be used to connect to Amazon IoT. See Activate or deactivate a client certificate for information on activating a client certificate.

When Amazon IoT automatically registers a certificate or when a client presents a certificate in the PENDING_ACTIVATION status, Amazon IoT publishes a message to the following MQTT topic:

$aws/events/certificates/registered/caCertificateId

Where caCertificateId is the ID of the CA certificate that issued the client certificate.

The message published to this topic has the following structure:

{
        "certificateId": "certificateId",
        "caCertificateId": "caCertificateId",
        "timestamp": timestamp,
        "certificateStatus": "PENDING_ACTIVATION",
        "awsAccountId": "awsAccountId",
        "certificateRegistrationTimestamp": "certificateRegistrationTimestamp"
}

You can create a rule that listens on this topic and performs some actions. We recommend that you create a Lambda rule that verifies the client certificate is not on a certificate revocation list (CRL), activates the certificate, and creates and attaches a policy to the certificate. The policy determines which resources the client can access. For more information about how to create a Lambda rule that listens on the $aws/events/certificates/registered/caCertificateID topic and performs these actions, see just-in-time registration of Client Certificates on Amazon IoT.

If any error or exception occurs during the auto-registration of the client certificates, Amazon IoT sends events or messages to your logs in CloudWatch Logs. For more information about setting up the logs for your account, see the Amazon CloudWatch documentation.