Create your own client certificates - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create your own client certificates

Amazon IoT supports client certificates signed by any root or intermediate certificate authorities (CA). Amazon IoT uses CA certificates to verify the ownership of certificates. To use device certificates signed by a CA that’s not Amazon’s CA, the CA’s certificate must be registered with Amazon IoT so that we can verify the device certificate’s ownership.

Amazon IoT supports multiple ways for bringing your own certificates (BYOC):

  • First, register the CA that’s used for signing the client certificates and then register individual client certificates. If you want to register the device or client to its client certificate when it first connects to Amazon IoT (also known as Just-in-Time Provisioning), you must register the signing CA with Amazon IoT and activate auto-registration.

  • If you can’t register the signing CA, you can choose to register client certificates without CA. For devices registered without CA, you’ll need to present Server Name Indication (SNI) when you connect them to Amazon IoT.

Note

To register client certificates using CA, you must register the signing CA with Amazon IoT, not any other CAs in the hierarchy.

Note

A CA certificate can be registered in DEFAULT mode by only one account in a Region. A CA certificate can be registered in SNI_ONLY mode by multiple accounts in a Region.

For more information about using X.509 certificates to support more than a few devices, see Device provisioning to review the different certificate management and provisioning options that Amazon IoT supports.

Topics