Bring your own CA

AWS IoT supports client certificates signed by other root certificate authorities (CA). You can register client certificates signed by another root CA; however, if you want the device or client to register its client certificate when it first connects to AWS IoT, the root CA must be registered with AWS IoT.

Just-in-time provisioning and just-in-time registration requires that you bring your own CA.

In this exercise you will create your own CA with AWS Certificate Manager Private Certificate Authority (ACM PCA). Then you will register the CA certificate with AWS IoT. This CA will be used for just-in-time provisioning and registration.


To create your own CA some files have already been prepared in the directory ~/ACM_PCA.

cd ~/ACM_PCA

Create your own CA

aws acm-pca create-certificate-authority \
	--certificate-authority-configuration file://./ca-config.json \
	--revocation-configuration file://./revoke-config.json \
	--certificate-authority-type "ROOT" \
	--idempotency-token $(date +'%Y%m%d%H%M%S')

The output of the command to create a certificate authority returns the arn of the CA and looks similar to:

    "CertificateAuthorityArn": "arn:aws:acm-pca:aws_region:aws_account_id:certificate-authority/aaa86144-52b7-4777-89bd-27388e44f6fe"

Assign the CA arn to a shell variable


Get the status of your CA

aws acm-pca describe-certificate-authority --certificate-authority-arn $CA_ARN

Status will be PENDING_CERTIFICATE and you need to finish the setup of your CA.

Go to the AWS Certificate Manager console

  1. Under Private CAs select IoT Device Management CA. The status should be Pending certificate
  2. Select Install a CA certificate to activate your CA.
  3. Validity: 10 Years, Signature algorithm: SHA256WTIHRSA
  4. Next
  5. Confirm and install

Use a Cloud9 terminal to verify the status of your CA. It should now be ACTIVE

Get and store the CA certificate of your PCA to the file acm-pca-root-ca.pem

aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $CA_ARN --output text > acm-pca-root-ca.pem

Verify the content of your root CA certificate

openssl x509 -text -noout -in acm-pca-root-ca.pem 

Register your CA with AWS IoT Core

Get a registration code from AWS IoT and write the code to a shell variable for later use. This code will be used as the Common Name (CN) of a verification certificate that you will issue with your own CA.

REGISTRATION_CODE=$(aws iot get-registration-code --output text)

Verify that the shell variable was set correctly


Generate a key and CSR for the verification certificate

openssl req -nodes -new -newkey rsa:2048 \
            -keyout iot-registration.key \
            -out iot-registration.csr \
            -subj "/CN=$REGISTRATION_CODE"

Issue a certificate based on the CSR

aws acm-pca issue-certificate \
	--certificate-authority-arn $CA_ARN \
	--csr file://./iot-registration.csr \
	--signing-algorithm "SHA256WITHRSA" \
	--validity Value=1,Type="DAYS" \
	--idempotency-token $(date +'%Y%m%d%H%M%S')

This command returns the certificate arn and looks similar to:

    "CertificateArn": "arn:aws:acm-pca:aws_region:aws_account_id:certificate-authority/4444791c-b956-476e-9ac0-7ffac9c196a4/certificate/7d7a88320133fc05ba097fc7f447bbbb"

Take a note of the arn you will need it in subsequent commands.

Wait until ACM PCA has issued the certificate

aws acm-pca wait certificate-issued \
	--certificate-authority-arn $CA_ARN \

Get the certificate from ACM PCA

aws acm-pca get-certificate \
	--certificate-authority-arn $CA_ARN \
	--certificate-arn REPLACE_WITH_YOUR_CERTIFICATE_ARN > iot-registration.json

Get the certificate from the output or the get-certificate call

jq -r '.Certificate' iot-registration.json > iot-registration.crt

Verify that the common name of the certificate has been set to your registration code

openssl x509 -text -noout -in iot-registration.crt -subject

The output should contain amongst other output:


Register the CA certificate with AWS IoT

aws iot register-ca-certificate \
        --ca-certificate file://./acm-pca-root-ca.pem \
        --verification-cert file://./iot-registration.crt

On success the output in JSON format returns the certificate arn and id of your CA registered with AWS IoT and looks similar to:

    "certificateArn": "arn:aws:iot:aws_region:aws_count_id:cacert/cert_id",
    "certificateId": "cert_id"

Verify that the CA certificate has been registered successfully. You received the CA certificate id in the output from the command above

# assign the certificate id to a shell variable (for convenience)

Look what has been stored with AWS IoT regarding your CA

aws iot describe-ca-certificate --certificate-id $CA_CERTIFICATE_ID

Activate the CA certificate

aws iot update-ca-certificate --new-status ACTIVE --certificate-id $CA_CERTIFICATE_ID

You have created your own CA and registered it with AWS IoT. Your CA can now be used for Just-in-time provisioning and registration.