1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
2
Hi Daniel,
Core device cert rotation is not supported by Greengrass (v1 or v2), you'll need to implement your own rotation mechanism. Here's an example solution that may be relevant.
The GGv1 cert rotation I believe you're referring to is for the MQTT server cert, which has a configurable expiration.
In GGv2, the analogous way to rotate the MQTT server cert is via the Client Device Auth component's serverCertificateValiditySeconds configuration, which defaults to 7 days.
con risposta 2 anni fa
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 10 mesi fa
Hi Joseph, thanks for your answer.
I meant the core device cert rotation only (mentioned the MQTT server cert by mistake, sorry for that).
If I implement something like the example solution, then after the cert rotation the container would have to be restarted, is that correct? Could I use IPC (e.g. CertificateUpdateEvent) to "notify" greengrass (v2) that the certificate has been rotated?
Yep after rotation, greengrass will need to be restarted so the connection to IoT Core uses the new cert. There's no built-in way to notify greengrass when a core device's IoT cert rotates, unfortunately. CertificateUpdateEvent/SubscribeToCertificateUpdates applies to the MQTT server cert, not the device's IoT cert.
Ok, thanks a lot.