X.509 client certificates - Amazon IoT Core
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

X.509 client certificates

X.509 certificates provide Amazon IoT with the ability to authenticate client and device connections. Client certificates must be registered with Amazon IoT before a client can communicate with Amazon IoT. A client certificate can be registered in multiple Amazon Web Services accounts in the same Amazon Web Services Region to facilitate moving devices between your Amazon Web Services accounts in the same region. See Using X.509 client certificates in multiple Amazon Web Services accounts with multi-account registration for more information.

We recommend that each device or client be given a unique certificate to enable fine-grained client management actions, including certificate revocation. Devices and clients must also support rotation and replacement of certificates to help ensure smooth operation as certificates expire.

For information about using X.509 certificates to support more than a few devices, see Device provisioning to review the different certificate management and provisioning options that Amazon IoT supports.

Amazon IoT supports these types of X.509 client certificates:

  • X.509 certificates generated by Amazon IoT

  • X.509 certificates signed by a CA registered with Amazon IoT.

  • X.509 certificates signed by a CA that is not registered with Amazon IoT.

This section describes how to manage X.509 certificates in Amazon IoT. You can use the Amazon IoT console or Amazon CLI to perform these certificate operations:

For more information about the Amazon CLI commands that perform these operations, see Amazon IoT CLI Reference.

Using X.509 client certificates

X.509 certificates authenticate client and device connections to Amazon IoT. X.509 certificates provide several benefits over other identification and authentication mechanisms. X.509 certificates enable asymmetric keys to be used with devices. For example, you could burn private keys into secure storage on a device so that sensitive cryptographic material never leaves the device. X.509 certificates provide stronger client authentication over other schemes, such as user name and password or bearer tokens, because the private key never leaves the device.

Amazon IoT authenticates client certificates using the TLS protocol's client authentication mode. TLS support is available in many programming languages and operating systems and is commonly used for encrypting data. In TLS client authentication, Amazon IoT requests an X.509 client certificate and validates the certificate's status and Amazon Web Services account against a registry of certificates. It then challenges the client for proof of ownership of the private key that corresponds to the public key contained in the certificate. Amazon IoT requires clients to send the Server Name Indication (SNI) extension to the Transport Layer Security (TLS) protocol. For more information on configuring the SNI extension, see Transport security in Amazon IoT.

X.509 certificates can be verified against a trusted certificate authority (CA). You can create client certificates that use the Amazon Root CA and you can use your own client certificates signed by another CA. For more information about using your own X.509 certificates, see Create your own client certificates.

The date and time when certificates signed by a CA certificate expire are set when the certificate is created. X.509 certificates generated by Amazon IoT expire at midnight UTC on December 31, 2049 (2049-12-31T23:59:59Z). For more information about using the Amazon IoT console to create certificates that use the Amazon Root CA, see Create Amazon IoT client certificates.

Using X.509 client certificates in multiple Amazon Web Services accounts with multi-account registration

Multi-account registration makes it possible to move devices between your Amazon Web Services accounts in the same Region or in different Regions. With this, you can register, test, and configure a device in a pre-production account, and then register and use the same device and device certificate in a production account. You can also register the client certificate on the device (the device certificates) without a CA that is registered with Amazon IoT.

Note

Certificates used for multi-account registration are supported on the iot:Data-ATS, iot:Data (legacy), iot:Jobs, and iot:CredentialProvider endpoint types. For more information about Amazon IoT device endpoints, see Amazon IoT device data and service endpoints.

Note

Multi-account registration doesn't support just-in-time registration because a verification certificate is required for registering the CA, which is only generated for a specific account.

Devices that use multi-account registration must send the Server Name Indication (SNI) extension to the Transport Layer Security (TLS) protocol and provide the complete endpoint address in the host_name field, when they connect to Amazon IoT. Amazon IoT uses the endpoint address in host_name to route the connection to the correct Amazon IoT account. Existing devices that don't send a valid endpoint address in host_name will continue to work, but they will not be able to use the features that require this information. For more information about the SNI extension and to learn how to identify the endpoint address for the host_name field, see Transport security in Amazon IoT.

To use multi-account registration

  1. You can register the device certificates without a CA. See Register a client certificate signed by an unregistered CA (CLI). Registering a CA is optional. You're not required to register the CA that signed the device certificates with Amazon IoT.

  2. You can use the correct host_name in the SNI extension to TLS when the device connects to Amazon IoT. See Transport security in Amazon IoT.

Certificate signing algorithms supported by Amazon IoT

Amazon IoT supports the following certificate-signing algorithms:

  • SHA256WITHRSA

  • SHA384WITHRSA

  • SHA512WITHRSA

  • DSA_WITH_SHA256

  • ECDSA-WITH-SHA256

  • ECDSA-WITH-SHA384

  • ECDSA-WITH-SHA512