Register your CA certificate - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Register your CA certificate

These procedures describe how to register a certificate from a certificate authority (CA) that's not Amazon's CA. Amazon IoT Core uses CA certificates to verify the ownership of certificates. To use device certificates signed by a CA that's not Amazon's CA, you must register the CA certificate with Amazon IoT Core so that it can verify the device certificate's ownership.

Note

To register a CA certificate in the console, start in the console at Register CA certificate. You can register your CA in Multi-account mode and without the need to provide a verification certificate or access to the private key. A CA can be registered in Multi-account mode by multiple Amazon Web Services accounts in the same Amazon Web Services Region. You can register your CA in Single-account mode by providing a verification certificate and proof of ownership of CA’s private key. A CA can be registered in Multi-account mode by one Amazon Web Services account in one Amazon Web Services Region.

You can register a CA certificate in DEFAULT mode or SNI_ONLY mode. A CA can be registered in DEFAULT mode by one Amazon Web Services account in one Amazon Web Services Region. A CA can be registered in SNI_ONLY mode by multiple Amazon Web Services accounts in the same Amazon Web Services Region. For more information about CA certificate mode, see certificateMode.

Note

We recommend that you register a CA in SNI_ONLY mode. You don't need to provide a verification certificate or access to the private key, and you can register the CA by multiple Amazon Web Services accounts in the same Amazon Web Services Region.

Register a CA certificate in SNI_ONLY mode (CLI) - Recommended

Prerequisites

Make sure you have the following available on your computer before you continue:

  • The root CA's certificate file (referenced in the following example as root_CA_cert_filename.pem)

  • OpenSSL v1.1.1i or later

To register a CA certificate in SNI_ONLY mode using the Amazon CLI

  1. Register the CA certificate with Amazon IoT. Using the register-ca-certificate command, enter the CA certificate file name. For more information, see register-ca-certificate in the Amazon CLI Command Reference.

    aws iot register-ca-certificate \
    --ca-certificate file://root_CA_cert_filename.pem \
    --certificate-mode SNI_ONLY

    If successful, this command returns the certificateId.

  2. At this point, the CA certificate has been registered with Amazon IoT but is inactive. The CA certificate must be active before you can register any client certificates that it has signed.

    This step activates the CA certificate.

    To activate the CA certificate, use the update-certificate command as follows. For more information, see update-certificate in the Amazon CLI Command Reference.

    aws iot update-ca-certificate \
    --certificate-id certificateId \
    --new-status ACTIVE

To see the status of the CA certificate, use the describe-ca-certificate command. For more information, see describe-ca-certificate in the Amazon CLI Command Reference.

Register a CA certificate in DEFAULT mode (CLI)

Prerequisites

Make sure you have the following available on your computer before you continue:

  • The root CA's certificate file (referenced in the following example as root_CA_cert_filename.pem)

  • The root CA certificate's private key file (referenced in the following example as root_CA_key_filename.key)

  • OpenSSL v1.1.1i or later

To register a CA certificate in DEFAULT mode using the Amazon CLI

  1. To get a registration code from Amazon IoT, use get-registration-code. Save the returned registrationCode to use as the Common Name of the private key verification certificate. For more information, see get-registration-code in the Amazon CLI Command Reference.

    aws iot get-registration-code

  2. Generate a key pair for the private key verification certificate:

    openssl genrsa -out verification_cert_key_filename.key 2048

  3. Create a certificate signing request (CSR) for the private key verification certificate. Set the Common Name field of the certificate to the registrationCode returned by get-registration-code.

    openssl req -new \
    -key verification_cert_key_filename.key \
    -out verification_cert_csr_filename.csr

    You are prompted for some information, including the Common Name for the certificate.

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
    State or Province Name (full name) []:
    Locality Name (for example, city) []:
    Organization Name (for example, company) []:
    Organizational Unit Name (for example, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:your_registration_code
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

  4. Use the CSR to create a private key verification certificate:

    openssl x509 -req \
    -in verification_cert_csr_filename.csr \
    -CA root_CA_cert_filename.pem \
    -CAkey root_CA_key_filename.key \
    -CAcreateserial \
    -out verification_cert_filename.pem \
    -days 500 -sha256

  5. Register the CA certificate with Amazon IoT. Pass in the CA certificate file name and the private key verification certificate file name to the register-ca-certificate command, as follows. For more information, see register-ca-certificate in the Amazon CLI Command Reference.

    aws iot register-ca-certificate \
    --ca-certificate file://root_CA_cert_filename.pem \
    --verification-cert file://verification_cert_filename.pem

    This command returns the certificateId, if successful.

  6. At this point, the CA certificate has been registered with Amazon IoT but is not active. The CA certificate must be active before you can register any client certificates it has signed.

    This step activates the CA certificate.

    To activate the CA certificate, use the update-certificate command as follows. For more information, see update-certificate in the Amazon CLI Command Reference.

    aws iot update-ca-certificate \
    --certificate-id certificateId \
    --new-status ACTIVE

To see the status of the CA certificate, use the describe-ca-certificate command. For more information, see describe-ca-certificate in the Amazon CLI Command Reference.