Deactivate a CA certificate - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Deactivate a CA certificate

When a certificate authority (CA) certificate is enabled for automatic client certificate registration, Amazon IoT checks the CA certificate used to sign the client certificate to make sure the CA is ACTIVE. If the CA certificate is INACTIVE, Amazon IoT doesn't allow the client certificate to be registered.

By setting the CA certificate as INACTIVE, you prevent any new client certificates issued by the CA from being registered automatically.


Any registered client certificates that were signed by the compromised CA certificate continue to work until you explicitly revoke each one of them.

Deactivate a CA certificate (console)

To deactivate a CA certificate using the Amazon IoT console

  1. Sign in to the Amazon Management Console and open the Amazon IoT console.

  2. In the left navigation pane, choose Secure, choose CAs.

  3. In the list of certificate authorities, find the one that you want to deactivate, and open the option menu by using the ellipsis icon.

  4. On the option menu, choose Deactivate.

The certificate authority should show as Inactive in the list.


The Amazon IoT console does not provide a way to list the certificates that were signed by the CA you deactivated. For an Amazon CLI option to list those certificates, see Deactivate a CA certificate (CLI).

Deactivate a CA certificate (CLI)

The Amazon CLI provides the update-ca-certificate command to deactivate a CA certificate.

aws iot update-ca-certificate \ --certificate-id certificateId \ --new-status INACTIVE

Use the list-certificates-by-ca command to get a list of all registered client certificates that were signed by the specified CA. For each client certificate signed by the specified CA certificate, use the update-certificate command to revoke the client certificate to prevent it from being used.

Use the describe-ca-certificate command to see the status of the CA certificate.