1 Respuesta
- Más nuevo
- Más votos
- Más comentarios
2
Hi Daniel,
Core device cert rotation is not supported by Greengrass (v1 or v2), you'll need to implement your own rotation mechanism. Here's an example solution that may be relevant.
The GGv1 cert rotation I believe you're referring to is for the MQTT server cert, which has a configurable expiration.
In GGv2, the analogous way to rotate the MQTT server cert is via the Client Device Auth component's serverCertificateValiditySeconds configuration, which defaults to 7 days.
respondido hace 2 años
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 10 meses
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace un año
Hi Joseph, thanks for your answer.
I meant the core device cert rotation only (mentioned the MQTT server cert by mistake, sorry for that).
If I implement something like the example solution, then after the cert rotation the container would have to be restarted, is that correct? Could I use IPC (e.g. CertificateUpdateEvent) to "notify" greengrass (v2) that the certificate has been rotated?
Yep after rotation, greengrass will need to be restarted so the connection to IoT Core uses the new cert. There's no built-in way to notify greengrass when a core device's IoT cert rotates, unfortunately. CertificateUpdateEvent/SubscribeToCertificateUpdates applies to the MQTT server cert, not the device's IoT cert.
Ok, thanks a lot.