- Newest
- Most votes
- Most comments
Hi,
To ensure that the device connects to the account which corresponds to the specified endpoint, you need to:
-
register the certificate in both accounts. This is called Multi Account Registration. Follow the instruction for registering a client certificate signed by an unregistered CA
-
ensure the MQTT client you use sends the SNI extension
Regards,
Massimiliano
I discussed this with one of my engineers in the past
I think It is not expected behavior for a device to be able to connect to the wrong environment (in this case, the "dev" environment) with the wrong endpoint (in this case, the "bbbbbbb...." endpoint that belongs to the "staging" environment).
When a device is provisioned with Just-in-Time Provisioning (JITP) in AWS IoT Core, it receives a unique X.509 certificate and private key that is used to authenticate the device when it connects to AWS IoT Core. The device also receives an endpoint URL that it should use to connect to AWS IoT Core.
If the device attempts to connect to the wrong endpoint URL, it will not be able to establish a connection with AWS IoT Core. The device should only be able to connect to the correct environment (either "dev" or "staging") using the correct endpoint URL for that environment.
It is possible that there may be some issue with the device or its configuration that is causing it to connect to the wrong environment. It would be helpful to check the device logs and configuration to try to determine the cause of the issue. @seekrsi
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- asked 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 5 months ago
For general certificates that do not use multi-account registration or the SNI field for connection, this actually will work. IoT Core will check the certificate id (hash) and determine which account it belongs to, and then if the policy allows, establish a connection to that AWS account regardless of the endpoint FQDN used.