Sorry for the issue, currently AWS IoT does not support using ACM's Private CA's while generating certificates in CreateKeysAndCertificate API. However, you can generate a certificate signed by the private CA and register with AWS IoT without proving the CA (token etc.). We have a feature called Multi Account Registration certificates that will allow you to register the certificates without proving CA ownership.
Hope it helps,
During device creation, in the certificate step, you can select "Use my certificate". Isn't that what you're looking for?
Edited by: SebastiaanM on Sep 7, 2020 4:29 AM
When i select 'Use my certificate' it first asks me to :
"Select or register the CA certificate used to sign your device certificates. To use device certificates that are not signed by a registered CA"
under that is has no option to select my Private CA that i just generated in AWS Private CA.
If i then select "Register CA" it asks me to sign a 'token' with my private CA (to prove i'm the owner of the CA) using OpenSSL.
Seeing i created the Private CA inside the AWS environment, i do not have access to the private key...
I was expecting to see an integration of AWS Private CA and AWS IoT..
am i expecting too much ?
I am not familiar with AWS Private CA, but it seems to allow creation of private CA's (which fall under the root CA's of Amazon). So, indeed, if you directly use a root CA as authority, you can't have its private key. But for a private subordinate CA, that should be possible, so you can download all info and use the required SSL commands to register that CA in AWS IOT?
Maybe a bit cumbersome though, I agree.
Thank you for your response. I really appreciate it.
we only created 1 root Private CA in AWS Private CA and it doesn't fall under the Amazon RootCA's..It's a self signed Root CA certificate.
Fair enough that i cannot access the private key, as you would like to use Amazons hardware storage for private keys,
but they should at least be able to hand it over to AWS IoT without having to first generate your own Root Ca using openssl and loosing the only reason for paying for Private Root CA.
I wonder if they just haven't gotten to integrating Private CA with IoT yet..
You can use it for pure SSL certs like in Elastic Load Balancing and plain AWS web servers.
But for anything non-standard (like using it in AWS-IoT or exporting certs for EAP-TLS), we can not even use the Certificate Manager.
I was hoping i was missing something, but i think it may not be worth the money in our case.
[Amazon official please prove me wrong !!]
Signing a CSR using Private CAAccepted Answerasked 2 years ago
How to download intermediate certificates for AWS IoT?asked 5 months ago
ACM generated certificate - private CA?Accepted Answerasked 2 months ago
Client AuthN in IoT Core using client certificate with aws-sdk v3asked 4 months ago
Can you automate cross-account private CA certificate renewal through AWS RAM and ACM Private CA?Accepted AnswerEXPERTasked 2 years ago
Unable to authenticate to AWS IoT using private CAasked 3 months ago
Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSKasked 8 months ago
Using Private CA In AWS IoTAccepted Answerasked 2 years ago
Import a self-signed Root CA in ACM PCAAccepted AnswerEXPERTasked 2 years ago
ACM Private CA Certificate Revocation Check is not Happeningasked 5 months ago