Thursday, February 16, 2023
HomeIoTSimplify multi-account gadget provisioning and certificates authority registration when utilizing AWS IoT...

Simplify multi-account gadget provisioning and certificates authority registration when utilizing AWS IoT Core

Clients usually handle a number of AWS accounts to separate their improvement, staging, and manufacturing environments. When deploying IoT workloads on AWS IoT Core, clients normally use distinctive X.509 certificates for figuring out units and certificates authorities (CAs) for validating the signature of gadget certificates throughout provisioning. On this weblog, we’ll reveal the right way to use the newly launched functionality of AWS IoT Core to simplify each gadget provisioning and CA registration for patrons that use a number of accounts.

Within the prior model, clients that handle completely different AWS accounts to distinguish between improvement and manufacturing workloads needed to configure a number of CAs to attach the identical gadget to a number of accounts in the course of the improvement course of. With this replace, you should use the identical CA throughout varied accounts to simplify gadget provisioning when utilizing Simply-in-Time Provisioning (JITP) and Simply-in-Time Registration (JITR) and enhance safety posture by having fewer CAs.

This replace additionally simplifies the CA registration course of for AWS IoT Core to validate the signature of gadget certificates throughout provisioning. Beforehand, to show possession earlier than registering the CA, you needed to have entry to the CA’s personal key. Nevertheless, these personal keys are usually managed by gadget distributors or safety groups of organizations that function their very own CAs, and are usually not shared with the builders, which makes it difficult for builders to show possession of the CAs. With this replace, your improvement group can straight handle the registration of CAs and simplify the gadget provisioning course of.

The brand new functionality is particular to JITP and JITR provisioning strategies that routinely provision units on their first try to connect with AWS IoT Core and enhances these strategies for multi-account use instances. In distinction, Multi-Account Registration (MAR) of gadget certificates allows clients to maneuver units between completely different AWS accounts with out registering CA, however requires registering gadget certificates on AWS IoT Core for every account manually.

Clients are already benefiting from the brand new capabilities

The flexibility to register CAs in a number of accounts and simplification of CA registration with AWS IoT Core reduces complexity for patrons and helps speed up time-to-market.

iRobot: lowering the complexity of gadget identification provisioning in multi-account environments


iRobot designs and builds robots that empower folks to do extra inside and outdoors the house. iRobot makes use of a number of AWS accounts to separate their improvement, testing, and manufacturing environments. “With the brand new functionality of AWS IoT Core to register CA certificates in a number of accounts, we will provision identities on our improvement robots as soon as and transfer them among the many accepted improvement accounts as wanted with out re-provisioning. This simplifies the event course of, which in flip helps enhance our safety posture as a result of we will have tighter management over the lowered variety of CAs and affiliate the CAs with safety boundaries,” stated Ben Kehoe, Cloud Architect at iRobot.

WirelessCar: accelerating time-to-market by simplifying safety configuration

wirelessCarWirelessCar is likely one of the world’s main innovators of digital car providers. They flip car information into enterprise worth for shoppers, mobility suppliers, car makers, and society. WirelessCar makes use of Simply-in-Time Provisioning for automating the provisioning of automobiles with X.509 certificate-based identities. “The brand new simplification of the CA registration with AWS IoT Core helps our builders transfer sooner with out ready for verification certificates from our safety group,” stated Henrik Strömberg, Answer Architect at WirelessCar. “Our safety group can hold the robust safety posture with out turning into the bottleneck in our fast-paced improvement surroundings.”

Getting began

The brand new functionality permits registering a CA certificates in a number of accounts of the identical area (and, after all, throughout a number of areas, which was attainable earlier than) with out proving the possession of the CA’s personal key. The potential is unlocked if a tool can ship the Server Identify Indication (SNI) discipline, which communicates the endpoint it’s trying to connect with in the beginning of the Transport Layer Safety handshaking course of. The brand new functionality enhances JITP and JITR gadget provisioning strategies. Now you can register CA certificates in one of many following two modes:

  • DEFAULT: register a CA certificates with a verification certificates
  • SNI_ONLY: register a CA certificates with out a verification certificates

AWS IoT Core registers gadget certificates in SNI_ONLY mode whenever you register the signing CA in SNI_ONLY mode.

Key factors:

  • Just one account can register a CA in DEFAULT mode in a single area.
  • A number of accounts can register the identical CA in SNI_ONLY mode in the identical area. There isn’t a restrict on the variety of accounts within the area the place such CA is registered.
  • A number of accounts can register the identical CA in both DEFAULT or SNI_ONLY modes if these accounts are in several areas — this was attainable earlier than.
  • A CA will be in several modes throughout accounts. For instance, one account can register it in DEFAULT mode and one other account in SNI_ONLY mode.
  • In a given account, a CA can exist in just one mode. To vary the mode of the registered CA, it’s essential delete the CA and register it once more.

Let’s take a look at establishing this new function and testing it in your accounts. We’ll present that we will register the identical CA in a number of accounts by way of the next steps:

  • We’ll arrange Cloud9 situations in two completely different accounts
  • We’ll arrange CA within the first account in DEFAULT mode
  • We’ll arrange CA within the second account in SNI_ONLY mode
  • Confirm that the CA is registered in each accounts to validate the function

Answer structure

solution Architecture

Answer structure – Determine 1

Answer overview and implementation

Creating the take a look at surroundings

Use the Get Began With IoT workshop to arrange the AWS Cloud9 surroundings shortly. Decide any AWS area closest to your location. On this weblog, we’ll use US-EAST-1. Arrange two Cloud9 environments in the identical area however two completely different accounts as a result of we’ll take a look at the multi-account nature of the launched functionality. After finishing the setup utilizing the AWS CloudFormation template from the workshop, let’s start establishing certificates authorities. Open the Cloud9 terminal (see the trace right here), and let’s arrange the primary CA certificates.

Setup CA in Account 1

Let’s arrange CA on this first account in DEFAULT mode. To register a DEFAULT CA certificates, observe our present publicly out there API docs right here.

Create a CA certificates

openssl genrsa -out rootCA.key 2048

It’s best to see an analogous output:

e is 65537 (0x010001)
Producing RSA personal key, 2048 bit lengthy modulus (2 primes)

Now, let’s create a config file to generate a CA certificates by way of OpenSSL. Create a file named rootCA_openssl.conf with the next contents:

[ v3_ca ]
basicConstraints = CA:TRUE

This config file explicitly states that the certificates to be generated is a CA and never a leaf certificates. As soon as the rootCA_openssl.conf file is created, let’s run the next instructions to generate the rootCA.pem file and fill within the particulars accordingly:

openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr
openssl x509 -req -days 1024 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem

By now, we should always have two information, rootCA.key and rootCA.pem. We’ll use them within the steps beneath.

Register CA

We derived the directions from our publicly out there doc for registering your CA certificates. First, we get a license plate from AWS IoT Core. We’ll use this code because the Widespread Identify of the personal key verification certificates.

aws iot get-registration-code --region us-east-1

It’s best to see an analogous output:

  "registrationCode": "xxxxxxxxxxx7a60e19fxxxxxxxxxxxxxx8381dbd3457xxxxxxxxxxxxxx"

Now, let’s generate a key pair for the personal key verification certificates. We’ll get a file known as verificationCert.key.

openssl genrsa -out verificationCert.key 2048

It’s best to see an analogous output:

e is 65537 (0x01xxxx)
Producing RSA personal key, 2048 bit lengthy modulus (2 primes)

Subsequent, we’ll execute the next command to create a CSR for the personal key verification certificates. We’ll get a file known as verificationCert.csr.

openssl req -new -key verificationCert.key -out verificationCert.csr

Now, we have to set the Widespread Identify discipline of the certificates with the license plate out from the sooner step. Populate the remainder of the fields in line with your particulars:

Nation Identify (2 letter code) [AU]:
State or Province Identify (full identify) []:
Locality Identify (for instance, metropolis) []:
Group Identify (for instance, firm) []:
Organizational Unit Identify (for instance, part) []:
Widespread Identify (e.g. server FQDN or YOUR identify) []: XXXXXXXREGISTRATION-CODEXXXXXXX
E mail Tackle []:
Please enter the next 'further' attributes
to be despatched together with your certificates request
A problem password []:
An elective firm identify []:

We used the CSR to create a personal key verification certificates. We’ll use this step’s verificationCert.pem file after we register the CA certificates.

openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256

Upon profitable completion, we should always see the next output:

Getting CA Personal Key

Lastly, we’ll name the register-ca-certificate CLI command to register the CA certificates.

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem --set-as-active --allow-auto-registration --region us-east-1

Notice: Take a be aware of the Certificates ID to be used sooner or later verification step.

We must always get a profitable response with the returned Certificates ID and Certificates ARN.

After registering the CA certificates, you may nonetheless name UpdateCACertificate API or update-ca-certificate CLI command to replace the registered CA certificates, if wanted.

Now that now we have registered the CA, let’s make a management aircraft name to AWS IoT Core’s endpoint and confirm that it registered the CA. Run the next command (substitute Certificates ID with the returned worth from aws iot register-ca-certificate command):

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>> 

It’s best to see an analogous JSON output:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:YYYYYYYYYYYY:cacert/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "certificateId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "YYYYYYYYYYYY",
    "creationDate": 1655249872.319,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655249872.319,
    "customerVersion": 1,
    "generationId": "7xxxxxxxxxxxxxxxxxxxxxxxxxxxxe9",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "DEFAULT"

Setup CA in Account 2

Let’s open our second account and arrange the Cloud9 surroundings as earlier than.

Since we’ll register the identical CA within the second account as we did within the first account, we’ll use SNI_ONLY mode. On this mode, we don’t want to hold out verification steps as we did for the primary account.

Please copy rootCA.pem file from account one after which run the next command:

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --certificate-mode SNI_ONLY --set-as-active --allow-auto-registration --region us-east-1

Confirm the CA has been registered

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>>

It’s best to see following output, which confirms the certificates mode is SNI_ONLY:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:ZZZZZZZZZZZZ:cacert/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "certificateId": "4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "ZZZZZZZZZZZZ",
    "creationDate": 1655252314.053,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655252314.053,
    "customerVersion": 1,
    "generationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "SNI_ONLY"

Now you should use the CA certificates with SNI_ONLY certificates mode the identical method as you’d with DEFAULT mode.


We reviewed the brand new functionality that simplifies registering the identical CA certificates in two AWS accounts, assuaging the necessity to provision further CAs when utilizing a number of accounts, corresponding to for improvement, testing, and manufacturing. We additionally demonstrated the right way to use SNI_ONLY certificates mode to register a CA certificates with out the necessity for CA’s personal keys, which simplifies the safety configuration and accelerates time-to-market.

To study extra about CA registration, go to developer documentation, and to study extra about certificates mode, see the API documentation. To register the certificates manually, seek advice from the next developer documentation. To study extra in regards to the SNI mode, seek advice from TLS extensions documentation.

In regards to the Authors

Syed Rehan is a World Sr. Specialist Options Architect at Amazon Internet Companies and relies in London. He’s overlaying international span of consumers and supporting them as lead IoT Answer Architect. Syed has in-depth data of IoT and cloud and works on this function with international clients starting from start-up to enterprises to allow them to construct IoT options with the AWS eco system.
Victor Lesau is a Sr. Technical Product Supervisor at Amazon Internet Companies. He focuses on product technique, roadmap planning, enterprise evaluation, buyer engagement and different product administration areas of AWS IoT Core and AWS IoT Identification providers and good house initiatives.


Most Popular