aws iot device certificates expired

0

Dear,

https://aws.amazon.com/tw/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/

i have some devices using the method above to provision the certificate. but their certificates expired.

It is very hard to update the certificates in the device.

So, my question is : how can the devices connect to the AWS IOT Core as before?

Thanks.

demandé il y a un an546 vues
4 réponses
1

At AWS security is always job zero. Please also take a look at Security best practices in AWS IoT Core which explains also why security is important.

Imagine you would allow your devices to connect without authentication/authorization then everyone could use your IoT endpoint.

You can use custom authentication in AWS IoT Core to build your own authentication logic.

You can also setup your own MQTT broker, for example on EC2 which meets your security requirements.

Cheers,
Philipp

AWS
EXPERT
répondu il y a un an
0

Yeah, that's a problem. I don't know of a way to let it connect using an expired certificate.

What you have to do is generate the certificate with a very, very long expiration. I generally have IoT Core generate my device certificates, so I looked to see what it made:

        Validity
            Not Before: Mar  2 21:24:37 2022 GMT
            Not After : Dec 31 23:59:59 2049 GMT

so it generated a cert good for 27 years, not quite sure why that number but ok. This Dec 2049 date was confirmed by someone on stack overflow as well.

If your device can't generate a new certificate before it expires, then I think your only choice is to install certs with a very long expiration, whether you generate them with openssl or not.

profile picture
wz2b
répondu il y a un an
0

From a security perspective you should never use long lived certificates. A certificate lifetime should not go beyond 2 or 3 years. When you rotate your certificates/keys regularly you can make sure that you are always use the latest and most secure algorithms.

You can use AWS IoT Device Defenders device certificate expiring audit to get a notification about certificates that will expire soon. You can then take automated actions to rotate your certificate.

You can find an example architecture in the AWS IoT Jumpstart.

You can also try to open a support ticket with AWS IoT.

Cheers,
Philipp

AWS
EXPERT
répondu il y a un an
0

Yes, Thanks all the answers.

I realize my situation now. But i think the design of the AWS IOT should consider both security and simplicity.

Now, the design is only consider the security. The implementation is so complex. I need lots of codes on it. and i need change a lot of code in order to comply this security rules.

But my device is cheap and it is no sense to implement such complicated code.

I really don't care if the device is secure or not.

Why can't i use AWS IOT in simple way? Why can't i config it without security?

répondu il y a un an

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions