- Newest
- Most votes
- Most comments
Your assessment is correct. Just rotate the AWS Root CA before the expiry date.
Alternatively, if you want to use your own server certificate with longer validity, feel free to checkout the newly announced "Custom Domains for Configurable Endpoints" feature: https://aws.amazon.com/blogs/aws/welcome-to-aws-iot-day/
https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html
Alok
Can any one (perhaps an Amazonian) give me some pointers on this please? Perhaps the answer is that this is not a good question. That feedback is also useful.
While I am waiting for a response here, I continue to investigate.
To clarify a bit more, here is our architecture -
Our device is a MQTT client communicating with AWS IoT broker over TLS. We choose to use MQTT over web sockets (port 443) because our devices are deployed in customer's homes. We don't have control over client's network. Provisioning work flow is important. So we will use the JITP work flow given by AWS IoT.
(https://aws.amazon.com/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/)
As for my question regarding various certificates involved in the workflow and their expiry - a lot of them are in our own control.
1. Root CA created by us once (used to create Custom CA certificate and Device Certificate)
We can make this valid for 30 years at the time of creation.
2. Our Custom CA certificate generated and registered with AWS IoT once
This registered certificate seem to have the same expiry as 1 above. So they can last 30 years.
3. Device Certificates created during Just in Time provisioning while manufacturing (using our Root CA in step 1)
We can set the expiry date to be 30 years later at the time of manufacturing.
4. Device Private Key generated during manufacturing
N/A (no expiry)
5. AWS Root CA downloaded from AWS and installed on the device during manufacturing
Well, this will be expired in 2038 (in 18 years) per AWS IoT.
6. Per device certificate issued and attached to the device on AWS IoT
Well, this expires in 2048 as per AWS IoT dashboard.
So it all boils down to 5. AWS Root CA that needs to be put on the device. It can expire in 18 years which is less than our goal of 30 year minimum.
Can we counter this if we simply install newer Root CA during our automated firmware upgrades? Is this even necessary? If needed, will everything else work as expected if we just upgrade Root CA when it is about to expire.
Hoping to get some confirmation on this. Thanks in advance.
Thanks for the information, Alok.
The "Custom domain" feature may solve even the server certificate expiry issue. This feature is still in Beta and available only in US-East for now.
But if the only additional task in the current workflow is to copy the new AWS Root CA when it is time, that also works.
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 3 years ago