aws iot device certificates expired



i have some devices using the method above to provision the certificate. but their certificates expired.

It is very hard to update the certificates in the device.

So, my question is : how can the devices connect to the AWS IOT Core as before?


asked 17 days ago37 views
4 Answers

At AWS security is always job zero. Please also take a look at Security best practices in AWS IoT Core which explains also why security is important.

Imagine you would allow your devices to connect without authentication/authorization then everyone could use your IoT endpoint.

You can use custom authentication in AWS IoT Core to build your own authentication logic.

You can also setup your own MQTT broker, for example on EC2 which meets your security requirements.


answered 15 days ago

Yeah, that's a problem. I don't know of a way to let it connect using an expired certificate.

What you have to do is generate the certificate with a very, very long expiration. I generally have IoT Core generate my device certificates, so I looked to see what it made:

            Not Before: Mar  2 21:24:37 2022 GMT
            Not After : Dec 31 23:59:59 2049 GMT

so it generated a cert good for 27 years, not quite sure why that number but ok. This Dec 2049 date was confirmed by someone on stack overflow as well.

If your device can't generate a new certificate before it expires, then I think your only choice is to install certs with a very long expiration, whether you generate them with openssl or not.

answered 17 days ago

From a security perspective you should never use long lived certificates. A certificate lifetime should not go beyond 2 or 3 years. When you rotate your certificates/keys regularly you can make sure that you are always use the latest and most secure algorithms.

You can use AWS IoT Device Defenders device certificate expiring audit to get a notification about certificates that will expire soon. You can then take automated actions to rotate your certificate.

You can find an example architecture in the AWS IoT Jumpstart.

You can also try to open a support ticket with AWS IoT.


answered 17 days ago

Yes, Thanks all the answers.

I realize my situation now. But i think the design of the AWS IOT should consider both security and simplicity.

Now, the design is only consider the security. The implementation is so complex. I need lots of codes on it. and i need change a lot of code in order to comply this security rules.

But my device is cheap and it is no sense to implement such complicated code.

I really don't care if the device is secure or not.

Why can't i use AWS IOT in simple way? Why can't i config it without security?

answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions