CreateCertificateFromCsr - AWS IoT

CreateCertificateFromCsr

Creates an X.509 certificate using the specified certificate signing request.

Requires permission to access the CreateCertificateFromCsr action.

Note

The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256, NIST P-384, or NIST P-521 curves. For supported certificates, consult Certificate signing algorithms supported by AWS IoT.

Note

Reusing the same certificate signing request (CSR) results in a distinct certificate.

You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs. In the following commands, we assume that a set of CSRs are located inside of the directory my-csr-directory:

On Linux and OS X, the command is:

$ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{}

This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr AWS CLI command to create a certificate for the corresponding CSR.

You can also run the aws iot create-certificate-from-csr part of the command in parallel to speed up the certificate creation process:

$ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/{}

On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:

> ls -Name my-csr-directory | %{aws iot create-certificate-from-csr --certificate-signing-request file://my-csr-directory/$_}

On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:

> forfiles /p my-csr-directory /c "cmd /c aws iot create-certificate-from-csr --certificate-signing-request file://@path"

Request Syntax

POST /certificates?setAsActive=setAsActive HTTP/1.1 Content-type: application/json { "certificateSigningRequest": "string" }

URI Request Parameters

The request uses the following URI parameters.

setAsActive

Specifies whether the certificate is active.

Request Body

The request accepts the following data in JSON format.

certificateSigningRequest

The certificate signing request (CSR).

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

Pattern: [\s\S]*

Required: Yes

Response Syntax

HTTP/1.1 200 Content-type: application/json { "certificateArn": "string", "certificateId": "string", "certificatePem": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

certificateArn

The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

Type: String

certificateId

The ID of the certificate. Certificate management operations only take a certificateId.

Type: String

Length Constraints: Fixed length of 64.

Pattern: (0x)?[a-fA-F0-9]+

certificatePem

The certificate data, in PEM format.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 65536.

Pattern: [\s\S]*

Errors

InternalFailureException

An unexpected error has occurred.

HTTP Status Code: 500

InvalidRequestException

The request is not valid.

HTTP Status Code: 400

ServiceUnavailableException

The service is temporarily unavailable.

HTTP Status Code: 503

ThrottlingException

The rate exceeds the limit.

HTTP Status Code: 400

UnauthorizedException

You are not authorized to perform this operation.

HTTP Status Code: 401

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: