aws iot device certificates expired

Question

Dear,

https://aws.amazon.com/tw/blogs/iot/setting-up-just-in-time-provisioning-with-aws-iot-core/

i have some devices using the method above to provision the certificate. but their certificates expired.

It is very hard to update the certificates in the device.

So, my question is : how can the devices connect to the AWS IOT Core as before?

Thanks.

Answer

At AWS security is always job zero. Please also take a look at [Security best practices in AWS IoT Core](https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html) which explains also why security is important.

Imagine you would allow your devices to connect without authentication/authorization then everyone could use your IoT endpoint.

You can use [custom authentication](https://docs.aws.amazon.com/iot/latest/developerguide/custom-authentication.html) in AWS IoT Core to build your own authentication logic.

You can also setup your own MQTT broker, for example on EC2 which meets your security requirements.

Cheers,  
Philipp

Answer

Yeah, that's a problem.  I don't know of a way to let it connect using an expired certificate.

What you have to do is generate the certificate with a very, very long expiration.  I generally have IoT Core generate my device certificates, so I looked to see what it made:

```
        Validity
            Not Before: Mar  2 21:24:37 2022 GMT
            Not After : Dec 31 23:59:59 2049 GMT
```

so it generated a cert good for 27 years, not quite sure why that number but ok.  This Dec 2049 date was confirmed by [someone on stack overflow](https://stackoverflow.com/questions/70838792/aws-iot-core-and-r-509-cert-expiration) as well.

If your device can't generate a new certificate before it expires, then I think your only choice is to install certs with a very long expiration, whether you generate them with openssl or not.

Answer

Yes, Thanks all the answers.

I realize my situation now. But i think the design of the AWS IOT should consider both security and simplicity.

Now, the design is only consider the security. The implementation is so complex. I need lots of codes on it. and i need change a lot of code in order to comply this security rules.

But my device is cheap and it is no sense to implement such complicated code.

I really don't care if the device is secure or not.

Why can't i use AWS IOT in simple way?  Why can't i config it without security?

Answer

From a security perspective you should never use long lived certificates. A certificate lifetime should not go beyond 2 or 3 years. When you rotate your certificates/keys regularly you can make sure that you are always use the latest and most secure algorithms.

You can use AWS IoT Device Defenders [device certificate expiring](https://docs.aws.amazon.com/iot/latest/developerguide/audit-chk-device-cert-approaching-expiration.html) audit to get a notification about certificates that will expire soon. You can then take automated actions to rotate your certificate.

You can find an example architecture in the [AWS IoT Jumpstart](https://catalog.us-east-1.prod.workshops.aws/workshops/001cd52d-8105-4da9-a0c2-ee391260e0c7/en-US/operations/lab30-devicecertrotation).

You can also try to open a support ticket with AWS IoT.

Cheers,  
Philipp

aws iot device certificates expired

相关内容