Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Public or Private CA for Bootstrap Certs for Provision By Claim?

0

I have been working on getting an IoT fleet set up and I am torn with documentation vs sample code. Based on this workshop I was under the impression that bootstrap certs were supposed to be created by my own private CA. But as I was reading this sample code, it seems to me they use an AWS Public root CA.

So what is the truth, do I use a public or a private CA to create bootstrap certificates for my IoT devices?

Topics
Management & GovernanceInternet of Things (IoT)Security, Identity, & Compliance
Tags
AWS Private Certificate AuthorityAWS Systems Manager Fleet ManagerAWS Certificate ManagerAWS IoT CoreAWS IoT Greengrass
Language
English
asked a year ago199 views
2 Answers
1

You may use either as per your use-case. Both ways are possible, the AWS Public root CA out of the box if you just want to see the demo work or would not prefer external root CA. If may also use your own but would need to register it to your account's registry AWS IoT > Security > Certificate authorities. Just pick one as per the use case.

AWS
answered a year ago
EXPERT
reviewed a year ago
  • gtorres
    a year ago

    ok, quick follow up, when creating a provisioning template relying on the public certificates from aws, it warns me that CSR's will be AWS managed. This still is in relation to their AWS Certificate manager and NOT their private certificate authorizer. Do you think I understood that correctly?

0

For fleet provisioning by claim, you can use either a public or private CA for your bootstrap (provisioning claim) certificates.

When using fleet provisioning by claim, devices are manufactured with provisioning claim certificates and private keys embedded in them. These are special purpose credentials that, when registered with AWS IoT, can be exchanged for unique device certificates that the device will use for regular operations.

If you choose to use AWS IoT fleet provisioning, AWS IoT can generate and securely deliver device certificates and private keys to your devices when they connect to AWS IoT for the first time. These client certificates are signed by the Amazon Root certificate authority (CA).

Alternatively, you can implement self-managed certificate signing in fleet provisioning. With this approach, you create an AWS IoT Core certificate provider to sign Certificate Signing Requests (CSRs). You can use this method to sign CSRs with:

  • A CA generated by AWS Private CA
  • Other publicly trusted CAs
  • Your own Public Key Infrastructure (PKI)

The choice between public or private CA depends on your specific security requirements, operational model, and whether you need control over the entire certificate chain. Using AWS Private CA gives you more control over your certificate hierarchy but requires additional setup and management.
Sources
Provisioning devices that don't have device certificates using fleet provisioning - AWS IoT Core
Definitions - Internet of Things (IoT) Lens
Self-managed certificate signing using AWS IoT Core certificate provider - AWS IoT Core
SEC09-BP01 Implement secure key and certificate management - AWS Well-Architected Framework

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content