Saturday, January 28, 2023
HomeIoTSimplify multi-account gadget provisioning and certificates authority registration when utilizing AWS IoT...

Simplify multi-account gadget provisioning and certificates authority registration when utilizing AWS IoT Core

Prospects usually handle a number of AWS accounts to separate their improvement, staging, and manufacturing environments. When deploying IoT workloads on AWS IoT Core, prospects often use distinctive X.509 certificates for figuring out gadgets and certificates authorities (CAs) for validating the signature of gadget certificates throughout provisioning. On this weblog, we’ll exhibit the way to use the newly launched functionality of AWS IoT Core to simplify each gadget provisioning and CA registration for purchasers that use a number of accounts.

Within the prior model, prospects that handle totally different AWS accounts to distinguish between improvement and manufacturing workloads needed to configure a number of CAs to attach the identical gadget to a number of accounts in the course of the improvement course of. With this replace, you should utilize the identical CA throughout varied accounts to simplify gadget provisioning when utilizing Simply-in-Time Provisioning (JITP) and Simply-in-Time Registration (JITR) and enhance safety posture by having fewer CAs.

This replace additionally simplifies the CA registration course of for AWS IoT Core to validate the signature of gadget certificates throughout provisioning. Beforehand, to show possession earlier than registering the CA, you needed to have entry to the CA’s personal key. Nonetheless, these personal keys are usually managed by gadget distributors or safety groups of organizations that function their very own CAs, and aren’t shared with the builders, which makes it difficult for builders to show possession of the CAs. With this replace, your improvement staff can straight handle the registration of CAs and simplify the gadget provisioning course of.

The brand new functionality is particular to JIPT and JITR provisioning strategies that mechanically provision gadgets on their first try to connect with AWS IoT Core and enhances these strategies for multi-account use circumstances. In distinction, Multi-Account Registration (MAR) of gadget certificates permits prospects to maneuver gadgets between totally different AWS accounts with out registering CA, however requires registering gadget certificates on AWS IoT Core for every account manually.

Prospects are already benefiting from the brand new capabilities

The power to register CAs in a number of accounts and simplification of CA registration with AWS IoT Core reduces complexity for purchasers and helps speed up time-to-market.

iRobot: lowering the complexity of gadget identification provisioning in multi-account environments


iRobot designs and builds robots that empower folks to do extra inside and out of doors the house. iRobot makes use of a number of AWS accounts to separate their improvement, testing, and manufacturing environments. “With the brand new functionality of AWS IoT Core to register CA certificates in a number of accounts, we are able to provision identities on our improvement robots as soon as and transfer them among the many authorised improvement accounts as wanted with out re-provisioning. This simplifies the event course of, which in flip helps enhance our safety posture as a result of we are able to have tighter management over the diminished variety of CAs and affiliate the CAs with safety boundaries,” mentioned Ben Kehoe, Cloud Architect at iRobot.

WirelessCar: accelerating time-to-market by simplifying safety configuration

wirelessCarWirelessCar is without doubt one of the world’s main innovators of digital car companies. They flip car knowledge into enterprise worth for shoppers, mobility suppliers, car makers, and society. WirelessCar makes use of Simply-in-Time Provisioning for automating the provisioning of autos with X.509 certificate-based identities. “The brand new simplification of the CA registration with AWS IoT Core helps our builders transfer quicker with out ready for verification certificates from our safety staff,” mentioned Henrik Strömberg, Answer Architect at WirelessCar. “Our safety staff can maintain the sturdy safety posture with out turning into the bottleneck in our fast-paced improvement surroundings.”

Getting began

The brand new functionality permits registering a CA certificates in a number of accounts of the identical area (and, in fact, throughout a number of areas, which was attainable earlier than) with out proving the possession of the CA’s personal key. The potential is unlocked if a tool can ship the Server Identify Indication (SNI) subject, which communicates the endpoint it’s trying to connect with at the beginning of the Transport Layer Safety handshaking course of. The brand new functionality enhances JITP and JITR gadget provisioning strategies. Now you can register CA certificates in one of many following two modes:

  • DEFAULT: register a CA certificates with a verification certificates
  • SNI_ONLY: register a CA certificates with out a verification certificates

AWS IoT Core registers gadget certificates in SNI_ONLY mode while you register the signing CA in SNI_ONLY mode.

Key factors:

  • Just one account can register a CA in DEFAULT mode in a single area.
  • A number of accounts can register the identical CA in SNI_ONLY mode in the identical area. There isn’t any restrict on the variety of accounts within the area the place such CA is registered.
  • A number of accounts can register the identical CA in both DEFAULT or SNI_ONLY modes if these accounts are in numerous areas — this was attainable earlier than.
  • A CA may be in numerous modes throughout accounts. For instance, one account can register it in DEFAULT mode and one other account in SNI_ONLY mode.
  • In a given account, a CA can exist in just one mode. To vary the mode of the registered CA, you must delete the CA and register it once more.

Let’s take a look at organising this new function and testing it in your accounts. We’ll present that we are able to register the identical CA in a number of accounts by means of the next steps:

  • We’ll arrange Cloud9 situations in two totally different accounts
  • We’ll arrange CA within the first account in DEFAULT mode
  • We’ll arrange CA within the second account in SNI_ONLY mode
  • Confirm that the CA is registered in each accounts to validate the function

Answer structure

solution Architecture

Answer structure – Determine 1

Answer overview and implementation

Creating the take a look at surroundings

Use the Get Began With IoT workshop to arrange the AWS Cloud9 surroundings shortly. Choose any AWS area closest to your location. On this weblog, we’ll use US-EAST-1. Arrange two Cloud9 environments in the identical area however two totally different accounts as a result of we’ll take a look at the multi-account nature of the launched functionality. After finishing the setup utilizing the AWS CloudFormation template from the workshop, let’s start organising certificates authorities. Open the Cloud9 terminal (see the trace right here), and let’s arrange the primary CA certificates.

Setup CA in Account 1

Let’s arrange CA on this first account in DEFAULT mode. To register a DEFAULT CA certificates, comply with our current publicly out there API docs right here.

Create a CA certificates

openssl genrsa -out rootCA.key 2048

You need to see an identical output:

e is 65537 (0x010001)
Producing RSA personal key, 2048 bit lengthy modulus (2 primes)

Now, let’s create a config file to generate a CA certificates by means of OpenSSL. Create a file named rootCA_openssl.conf with the next contents:

[ v3_ca ]
basicConstraints = CA:TRUE

This config file explicitly states that the certificates to be generated is a CA and never a leaf certificates. As soon as the rootCA_openssl.conf file is created, let’s run the next instructions to generate the rootCA.pem file and fill within the particulars accordingly:

openssl req -new -sha256 -key rootCA.key -nodes -out rootCA.csr
openssl x509 -req -days 1024 -extfile rootCA_openssl.conf -extensions v3_ca -in rootCA.csr -signkey rootCA.key -out rootCA.pem

By now, we must always have two information, rootCA.key and rootCA.pem. We’ll use them within the steps beneath.

Register CA

We derived the directions from our publicly out there doc for registering your CA certificates. First, we get a license plate from AWS IoT Core. We’ll use this code because the Frequent Identify of the personal key verification certificates.

aws iot get-registration-code --region us-east-1

You need to see an identical output:

  "registrationCode": "xxxxxxxxxxx7a60e19fxxxxxxxxxxxxxx8381dbd3457xxxxxxxxxxxxxx"

Now, let’s generate a key pair for the personal key verification certificates. We’ll get a file referred to as verificationCert.key.

openssl genrsa -out verificationCert.key 2048

You need to see an identical output:

e is 65537 (0x01xxxx)
Producing RSA personal key, 2048 bit lengthy modulus (2 primes)

Subsequent, we’ll execute the next command to create a CSR for the personal key verification certificates. We’ll get a file referred to as verificationCert.csr.

openssl req -new -key verificationCert.key -out verificationCert.csr

Now, we have to set the Frequent Identify subject of the certificates with the license plate out from the sooner step. Populate the remainder of the fields based on your particulars:

Nation Identify (2 letter code) [AU]:
State or Province Identify (full identify) []:
Locality Identify (for instance, metropolis) []:
Group Identify (for instance, firm) []:
Organizational Unit Identify (for instance, part) []:
Frequent Identify (e.g. server FQDN or YOUR identify) []: XXXXXXXREGISTRATION-CODEXXXXXXX
E mail Tackle []:
Please enter the next 'additional' attributes
to be despatched along with your certificates request
A problem password []:
An non-obligatory firm identify []:

We used the CSR to create a non-public key verification certificates. We’ll use this step’s verificationCert.pem file once we register the CA certificates.

openssl x509 -req -in verificationCert.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out verificationCert.pem -days 500 -sha256

Upon profitable completion, we must always see the next output:

Getting CA Non-public Key

Lastly, we’ll name the register-ca-certificate CLI command to register the CA certificates.

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --verification-cert file://verificationCert.pem --set-as-active --allow-auto-registration --region us-east-1

Observe: Take a word of the Certificates ID to be used sooner or later verification step.

We must always get a profitable response with the returned Certificates ID and Certificates ARN.

After registering the CA certificates, you’ll be able to nonetheless name UpdateCACertificate API or update-ca-certificate CLI command to replace the registered CA certificates, if wanted.

Now that we have now registered the CA, let’s make a management airplane name to AWS IoT Core’s endpoint and confirm that it registered the CA. Run the next command (substitute Certificates ID with the returned worth from aws iot register-ca-certificate command):

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>> 

You need to see an identical JSON output:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:YYYYYYYYYYYY:cacert/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "certificateId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "YYYYYYYYYYYY",
    "creationDate": 1655249872.319,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655249872.319,
    "customerVersion": 1,
    "generationId": "7xxxxxxxxxxxxxxxxxxxxxxxxxxxxe9",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "DEFAULT"

Setup CA in Account 2

Let’s open our second account and arrange the Cloud9 surroundings as earlier than.

Since we’ll register the identical CA within the second account as we did within the first account, we’ll use SNI_ONLY mode. On this mode, we don’t want to hold out verification steps as we did for the primary account.

Please copy rootCA.pem file from account one after which run the next command:

aws iot register-ca-certificate --ca-certificate file://rootCA.pem --certificate-mode SNI_ONLY --set-as-active --allow-auto-registration --region us-east-1

Confirm the CA has been registered

aws iot describe-ca-certificate --region us-east-1 --certificate-id <<Certificate_ID>>

You need to see following output, which confirms the certificates mode is SNI_ONLY:

  "certificateDescription": {
    "certificateArn": "arn:aws:iot:us-east-1:ZZZZZZZZZZZZ:cacert/4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "certificateId": "4xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx0",
    "standing": "ACTIVE",
    "certificatePem": "-----BEGIN CERTIFICATE-----xxxxxxxxxxxxnxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxn-----END CERTIFICATE-----n",
    "ownedBy": "ZZZZZZZZZZZZ",
    "creationDate": 1655252314.053,
    "autoRegistrationStatus": "ENABLE",
    "lastModifiedDate": 1655252314.053,
    "customerVersion": 1,
    "generationId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "validity": {
      "notBefore": 1655249071.0,
      "notAfter": 1743722671.0
    "certificateMode": "SNI_ONLY"

Now you should utilize the CA certificates with SNI_ONLY certificates mode the identical means as you’ll with DEFAULT mode.


We reviewed the brand new functionality that simplifies registering the identical CA certificates in two AWS accounts, assuaging the necessity to provision extra CAs when utilizing a number of accounts, equivalent to for improvement, testing, and manufacturing. We additionally demonstrated the way to use SNI_ONLY certificates mode to register a CA certificates with out the necessity for CA’s personal keys, which simplifies the safety configuration and accelerates time-to-market.

To study extra about CA registration, go to developer documentation, and to study extra about certificates mode, see the API documentation. To register the certificates manually, confer with the next developer documentation. To study extra concerning the SNI mode, confer with TLS extensions documentation.

Concerning the Authors

Syed Rehan is a World Sr. Specialist Options Architect at Amazon Net Companies and relies in London. He’s protecting international span of consumers and supporting them as lead IoT Answer Architect. Syed has in-depth data of IoT and cloud and works on this position with international prospects starting from start-up to enterprises to allow them to construct IoT options with the AWS eco system.
Victor Lesau is a Sr. Technical Product Supervisor at Amazon Net Companies. He focuses on product technique, roadmap planning, enterprise evaluation, buyer engagement and different product administration areas of AWS IoT Core and AWS IoT Id companies and sensible house initiatives.



Please enter your comment!
Please enter your name here

sixteen + twelve =

Most Popular

Recent Comments