Create Amazon IoT client certificates - Amazon IoT Core
Create an Amazon IoT certificate (console)Create an Amazon IoT certificate (CLI)
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create Amazon IoT client certificates

Amazon IoT provides client certificates that are signed by the Amazon Root certificate authority (CA).

This topic describes how to create a client certificate signed by the Amazon Root certificate authority and download the certificate files. After you create the client certificate files, you must install them on the client.

Note

Each X.509 client certificate provided by Amazon IoT holds issuer and subject attributes that you set at the time of certificate creation. The certificate attributes are immutable only after the certificate is created.

You can use the Amazon IoT console or the Amazon CLI to create an Amazon IoT certificate signed by the Amazon Root certificate authority.

Create an Amazon IoT certificate (console)

To create an Amazon IoT certificate using the Amazon IoT console

  1. Sign in to the Amazon Web Services Management Console and open the Amazon IoT console.

  2. In the navigation pane, choose Security, then choose Certificates, and then choose Create.

  3. Choose One-click certificate creation (recommended) - Create certificate.

  4. From the Certificate created page, download the client certificate files for the thing, public key, and private key to a secure location. These certificates generated by Amazon IoT are only available for use with Amazon IoT services.

    If you also need the Amazon Root CA certificate file, this page also has the link to the page where you can download it.

  5. A client certificate has now been created and registered with Amazon IoT. You must activate the certificate before you use it in a client.

    To activate the client certificate now, choose Activate. If you don't want to activate the certificate now, see Activate a client certificate (console) to learn how to activate the certificate later.

  6. If you want to attach a policy to the certificate, choose Attach a policy.

    If you don't want to attach a policy now, choose Done to finish. You can attach a policy later.

After you complete the procedure, install the certificate files on the client.

Create an Amazon IoT certificate (CLI)

The Amazon CLI provides the create-keys-and-certificate command to create client certificates signed by the Amazon Root certificate authority. This command, however, does not download the Amazon Root CA certificate file. You can download the Amazon Root CA certificate file from CA certificates for server authentication.

This command creates private key, public key, and X.509 certificate files and registers and activates the certificate with Amazon IoT.

aws iot create-keys-and-certificate \
    --set-as-active \
    --certificate-pem-outfile certificate_filename.pem \
    --public-key-outfile public_filename.key \
    --private-key-outfile private_filename.key

If you don't want to activate the certificate when you create and register it, this command creates private key, public key, and X.509 certificate files and registers the certificate, but it does not activate it. Activate a client certificate (CLI) describes how to activate the certificate later.

aws iot create-keys-and-certificate \
    --no-set-as-active \
    --certificate-pem-outfile certificate_filename.pem \
    --public-key-outfile public_filename.key \
    --private-key-outfile private_filename.key

Install the certificate files on the client.