Deactivate a CA certificate
When a certificate authority (CA) certificate is enabled for automatic
client certificate registration, Amazon IoT checks the CA certificate used to
sign the client certificate to make sure the CA is ACTIVE. If
the CA certificate is INACTIVE, Amazon IoT doesn't allow the client
certificate to be registered.
By setting the CA certificate as INACTIVE, you prevent any
new client certificates issued by the CA from being registered
automatically.
Any registered client certificates that were signed by the compromised CA certificate continue to work until you explicitly revoke each one of them.
Deactivate a CA certificate (console)
To deactivate a CA certificate using the Amazon IoT console
-
Sign in to the Amazon Management Console and open the Amazon IoT console
. -
In the left navigation pane, choose Secure, choose CAs.
-
In the list of certificate authorities, find the one that you want to deactivate, and open the option menu by using the ellipsis icon.
-
On the option menu, choose Deactivate.
The certificate authority should show as Inactive in the list.
The Amazon IoT console does not provide a way to list the certificates that were signed by the CA you deactivated. For an Amazon CLI option to list those certificates, see Deactivate a CA certificate (CLI).
Deactivate a CA certificate (CLI)
The Amazon CLI provides the update-ca-certificate
aws iot update-ca-certificate \ --certificate-idcertificateId\ --new-status INACTIVE
Use the list-certificates-by-ca
Use the describe-ca-certificate