Simplify multi-account system provisioning and certificates authority registration when utilizing AWS IoT Core

Prospects usually handle a number of AWS accounts to separate their growth, staging, and manufacturing environments. When deploying IoT workloads on AWS IoT Core, clients normally use distinctive X.509 certificates for figuring out units and certificates authorities (CAs) for validating the signature of system certificates throughout provisioning. On this weblog, we’ll show the right way to use the newly launched functionality of AWS IoT Core to simplify each system provisioning and CA registration for patrons that use a number of accounts.

Within the prior model, clients that handle completely different AWS accounts to distinguish between growth and manufacturing workloads needed to configure a number of CAs to attach the identical system to a number of accounts in the course of the growth course of. With this replace, you should use the identical CA throughout numerous accounts to simplify system provisioning when utilizing Simply-in-Time Provisioning (JITP) and Simply-in-Time Registration (JITR) and enhance safety posture by having fewer CAs.

This replace additionally simplifies the CA registration course of for AWS IoT Core to validate the signature of system certificates throughout provisioning. Beforehand, to show possession earlier than registering the CA, you needed to have entry to the CA’s non-public key. Nonetheless, these non-public keys are usually managed by system distributors or safety groups of organizations that function their very own CAs, and should not shared with the builders, which makes it difficult for builders to show possession of the CAs. With this replace, your growth group can instantly handle the registration of CAs and simplify the system provisioning course of.

The brand new functionality is restricted to JITP and JITR provisioning strategies that robotically provision units on their first try to hook up with AWS IoT Core and enhances these strategies for multi-account use circumstances. In distinction, Multi-Account Registration (MAR) of system certificates allows clients to maneuver units between completely different AWS accounts with out registering CA, however requires registering system certificates on AWS IoT Core for every account manually.

Prospects are already benefiting from the brand new capabilities

The power to register CAs in a number of accounts and simplification of CA registration with AWS IoT Core reduces complexity for patrons and helps speed up time-to-market.

iRobot: decreasing the complexity of system id provisioning in multi-account environments


iRobot designs and builds robots that empower individuals to do extra inside and outdoors the house. iRobot makes use of a number of AWS accounts to separate their growth, testing, and manufacturing environments. “With the brand new functionality of AWS IoT Core to register CA certificates in a number of accounts, we are able to provision identities on our growth robots as soon as and transfer them among the many accredited growth accounts as wanted with out re-provisioning. This simplifies the event course of, which in flip helps enhance our safety posture as a result of we are able to have tighter management over the lowered variety of CAs and affiliate the CAs with safety boundaries,” mentioned Ben Kehoe, Cloud Architect at iRobot.

WirelessCar: accelerating time-to-market by simplifying safety configuration

wirelessCarWirelessCar is without doubt one of the world’s main innovators of digital car companies. They flip car information into enterprise worth for shoppers, mobility suppliers, car makers, and society. WirelessCar makes use of Simply-in-Time Provisioning for automating the provisioning of autos with X.509 certificate-based identities. “The brand new simplification of the CA registration with AWS IoT Core helps our builders transfer sooner with out ready for verification certificates from our safety group,” mentioned Henrik Strömberg, Answer Architect at WirelessCar. “Our safety group can maintain the sturdy safety posture with out turning into the bottleneck in our fast-paced growth atmosphere.”

Getting began

The brand new functionality permits registering a CA certificates in a number of accounts of the identical area (and, after all, throughout a number of areas, which was attainable earlier than) with out proving the possession of the CA’s non-public key. The aptitude is unlocked if a tool can ship the Server Identify Indication (SNI) discipline, which communicates the endpoint it’s trying to hook up with in the beginning of the Transport Layer Safety handshaking course of. The brand new functionality enhances JITP and JITR system provisioning strategies. Now you can register CA certificates in one of many following two modes:

  • DEFAULT: register a CA certificates with a verification certificates
  • SNI_ONLY: register a CA certificates with no verification certificates

AWS IoT Core registers system certificates in SNI_ONLY mode while you register the signing CA in SNI_ONLY mode.

Key factors:

  • Just one account can register a CA in DEFAULT mode in a single area.
  • A number of accounts can register the identical CA in SNI_ONLY mode in the identical area. There isn’t a restrict on the variety of accounts within the area the place such CA is registered.
  • A number of accounts can register the identical CA in both DEFAULT or SNI_ONLY modes if these accounts are in numerous areas — this was attainable earlier than.
  • A CA might be in numerous modes throughout accounts. For instance, one account can register it in DEFAULT mode and one other account in SNI_ONLY mode.
  • In a given account, a CA can exist in just one mode. To alter the mode of the registered CA, that you must delete the CA and register it once more.

Let’s have a look at establishing this new characteristic and testing it in your accounts. We are going to present that we are able to register the identical CA in a number of accounts via the next steps:

  • We are going to arrange Cloud9 cases in two completely different accounts
  • We are going to arrange CA within the first account in DEFAULT mode
  • We are going to arrange CA within the second account in SNI_ONLY mode
  • Confirm that the CA is registered in each accounts to validate the characteristic

Answer structure

solution Architecture

Answer structure – Determine 1

Answer overview and implementation

Creating the check atmosphere

Use the Get Began With IoT workshop to arrange the AWS Cloud9 atmosphere shortly. Choose any AWS area closest to your location. On this weblog, we’ll use US-EAST-1. Arrange two Cloud9 environments in the identical area however two completely different accounts as a result of we’ll check the multi-account nature of the launched functionality. After finishing the setup utilizing the AWS CloudFormation template from the workshop, let’s start establishing certificates authorities. Open the Cloud9 terminal (see the trace right here), and let’s arrange the primary CA certificates.

Setup CA in Account 1

Let’s arrange CA on this first account in DEFAULT mode. To register a DEFAULT CA certificates, observe our present publicly obtainable API docs right here.

Create a CA certificates

openssl genrsa -out rootCA.key 2048

It is best to see an identical output:

e is 65537 (0x010001)
Producing RSA non-public key, 2048 bit lengthy modulus (2 primes)

Now, let’s create a config file to generate a CA certificates via OpenSSL. Create a file named rootCA_openssl.conf with the next contents:

[ v3_ca ]
basicConstraints = CA:TRUE

This config file explicitly states that the certificates to be generated is a CA and never a leaf certificates. As soon as the rootCA_openssl.conf file is created, let’s run the next instructions to generate the rootCA.pem file and fill within the particulars accordingly:

openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr
openssl x509 -req -days 1024 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem

By now, we should always have two information, rootCA.key and rootCA.pem. We are going to use them within the steps beneath.

Register CA

We derived the directions from our publicly obtainable doc for registering your CA certificates. First, we get a license plate from AWS IoT Core. We are going to use this code because the Frequent Identify of the non-public key verification certificates.

aws iot get-registration-code --region us-east-1

It is best to see an identical output:

  "registrationCode": "xxxxxxxxxxx7a60e19fxxxxxxxxxxxxxx8381dbd3457xxxxxxxxxxxxxx"

Now, let’s generate a key pair for the non-public key verification certificates. We are going to get a file known as verificationCert.key.

openssl genrsa -out verificationCert.key 2048

It is best to see an identical output:

e is 65537 (0x01xxxx)
Producing RSA non-public key, 2048 bit lengthy modulus (2 primes)

Subsequent, we’ll execute the next command to create a CSR for the non-public key verification certificates. We are going to get a file known as verificationCert.csr.

openssl req -new -key verificationCert.key -out verificationCert.csr

Now, we have to set the Frequent Identify discipline of the certificates with the license plate out from the sooner step. Populate the remainder of the fields based on your particulars:

Nation Identify (2 letter code) [AU]:
State or Province Identify (full title) []:
Locality Identify (for instance, metropolis) []:
Group Identify (for instance, firm) []:
Organizational Unit Identify (for instance, part) []:
Frequent Identify (e.g. server FQDN or YOUR title) []: XXXXXXXREGISTRATION-CODEXXXXXXX
Electronic mail Tackle []:
Please enter the next 'additional' attributes
to be despatched along with your certificates request
A problem password []:
An optionally available firm title []:

We used the CSR to create a personal key verification certificates. We are going to use this step’s verificationCert.pem file after we register the CA certificates.

openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256

Upon profitable completion, we should always see the next output:

Getting CA Personal Key

Lastly, we’ll name the register-ca-certificate CLI command to register the CA certificates.

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem --set-as-active --allow-auto-registration --region us-east-1

Be aware: Take a notice of the Certificates ID to be used sooner or later verification step.

We must always get a profitable response with the returned Certificates ID and Certificates ARN.

After registering the CA certificates, you may nonetheless name UpdateCACertificate API or update-ca-certificate CLI command to replace the registered CA certificates, if wanted.

Now that now we have registered the CA, let’s make a management airplane name to AWS IoT Core’s endpoint and confirm that it registered the CA. Run the next command (exchange Certificates ID with the returned worth from aws iot register-ca-certificate command):

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>> 

It is best to see an identical JSON output:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:YYYYYYYYYYYY:cacert/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "certificateId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "YYYYYYYYYYYY",
    "creationDate": 1655249872.319,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655249872.319,
    "customerVersion": 1,
    "generationId": "7xxxxxxxxxxxxxxxxxxxxxxxxxxxxe9",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "DEFAULT"

Setup CA in Account 2

Let’s open our second account and arrange the Cloud9 atmosphere as earlier than.

Since we’ll register the identical CA within the second account as we did within the first account, we’ll use SNI_ONLY mode. On this mode, we don’t want to hold out verification steps as we did for the primary account.

Please copy rootCA.pem file from account one after which run the next command:

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --certificate-mode SNI_ONLY --set-as-active --allow-auto-registration --region us-east-1

Confirm the CA has been registered

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>>

It is best to see following output, which confirms the certificates mode is SNI_ONLY:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:ZZZZZZZZZZZZ:cacert/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "certificateId": "4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "ZZZZZZZZZZZZ",
    "creationDate": 1655252314.053,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655252314.053,
    "customerVersion": 1,
    "generationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "SNI_ONLY"

Now you should use the CA certificates with SNI_ONLY certificates mode the identical approach as you’ll with DEFAULT mode.


We reviewed the brand new functionality that simplifies registering the identical CA certificates in two AWS accounts, assuaging the necessity to provision extra CAs when utilizing a number of accounts, resembling for growth, testing, and manufacturing. We additionally demonstrated the right way to use SNI_ONLY certificates mode to register a CA certificates with out the necessity for CA’s non-public keys, which simplifies the safety configuration and accelerates time-to-market.

To study extra about CA registration, go to developer documentation, and to study extra about certificates mode, see the API documentation. To register the certificates manually, check with the next developer documentation. To study extra concerning the SNI mode, check with TLS extensions documentation.

In regards to the Authors

Syed Rehan is a International Sr. Specialist Options Architect at Amazon Internet Providers and relies in London. He’s protecting world span of consumers and supporting them as lead IoT Answer Architect. Syed has in-depth information of IoT and cloud and works on this function with world clients starting from start-up to enterprises to allow them to construct IoT options with the AWS eco system.
Victor Lesau is a Sr. Technical Product Supervisor at Amazon Internet Providers. He focuses on product technique, roadmap planning, enterprise evaluation, buyer engagement and different product administration areas of AWS IoT Core and AWS IoT Identification companies and good house initiatives.