AWS IoT custom domain ECDSA support


We configured a custom domain using this guide:

The domain is enabled and active.

The TLS handshake works with no cipher constraints, however when the cipher suites are constrained to ECDSA, the connection is dropped after client hello.

$ openssl s_client -cipher ECDSA -connect custom-domain-name:8883 -showcerts -servername custom-domain-name
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 284 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Is ECDSA not supported? This is odd since it is one of the recommended cipher suites here:

asked 2 years ago361 views
2 Answers
Accepted Answer

When setting up a custom domain you need to attach a server certificate to the endpoint which has either an ECDSA signature or an RSA signature. In practice this mean that you can either use an RSA cipher or an ECDSA cipher but not both for the same custom domain endpoint.

The standard endpoint, on the other hand, supports both ciphers.

answered 2 years ago

This should be noted in the docs at under "ACM-generated public certificates"

When using an ACM issued certificate this limits you to RSA, since ACM does not issue ECDSA certificates

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions