Create your own client certificates
Amazon IoT supports client certificates signed by any root or intermediate certificate authorities (CA). Amazon IoT uses CA certificates to verify the ownership of certificates. To use device certificates signed by a CA that’s not Amazon’s CA, the CA’s certificate must be registered with Amazon IoT so that we can verify the device certificate’s ownership.
Amazon IoT supports multiple ways for bringing your own certificates (BYOC):
-
First, register the CA that’s used for signing the client certificates and then register individual client certificates. If you want to register the device or client to its client certificate when it first connects to Amazon IoT (also known as Just-in-Time Provisioning), you must register the signing CA with Amazon IoT and activate auto-registration.
-
If you can’t register the signing CA, you can choose to register client certificates without CA. For devices registered without CA, you’ll need to present Server Name Indication (SNI)
when you connect them to Amazon IoT.
Note
To register client certificates using CA, you must register the signing CA with Amazon IoT, not any other CAs in the hierarchy.
Note
A CA certificate can be registered in DEFAULT
mode by only
one account in a Region. A CA certificate can be registered in
SNI_ONLY
mode by multiple accounts in a Region.
For more information about using X.509 certificates to support more than a few devices, see Device provisioning to review the different certificate management and provisioning options that Amazon IoT supports.