New – Just-in-Time Certificate Registration for AWS IoT
Earlier this year my colleague Olawale Oladehin showed you how to Use Your Own Certificate with AWS IoT. Before that, John Renshaw talked about Predictive Maintenance with AWS IoT and Amazon Machine Learning.
Today we are making AWS IoT even more flexible by giving you the ability to do Just-in-Time registration of device certificates. This expands on the feature described by Olawale, and simplifies the process of building systems that make use of millions of connected devices. Instead of having to build a separate database to track the certificates and the associated devices, you can now arrange to automatically register new certificates as part of the initial communication between the device and AWS IoT.
In order to do this, you start with a CA (Certificate Authority) certificate that you later use to sign the per-device certificates (this is a great example of the chain of trust model that is fundamental to the use of digital certificates).
Putting this new feature to use is pretty easy, but you do have to take care of some important details. Here are the principal steps:
- Register & activate the CA certificate that will sign the other certificates.
- Use the certificate to generate and sign certificates for each device.
- Have the device present the certificate to AWS IoT and then activate it.
The final step can be implemented using a AWS Lambda function. The function simply listens on a designated MQTT topic using an AWS IoT Rule Engine Action. A notification will be sent to the topic each time a new certificate is presented to AWS IoT. The function can then activate the device certificate and take care of any other initialization or registration required by your application.
To learn more about this important new feature and to review all of the necessary steps in detail, read about Just in Time Registration of Device Certificates on AWS IoT on The Internet of Things on AWS Blog.