How to update changing certificate requirements with AWS IoT Core

NOTE: This post covers an important announcement related to renewal of Symantec Server Intermediate Certificate Authority (ICA) and an upcoming switch of AWS IoT Core – control plane endpoints and newly supported AWS IoT Core customer endpoints to TLS1.2 specification.

Overview

In this post, we discuss upcoming changes to Symantec Server Intermediate Certificate Authority (ICA) and switching on TLS 1.2 by default for control plane endpoints. We will also share recommendations on how to use custom domain and configurable endpoint features of AWS IoT Core. Additionally, you will learn about ways to use client-side custom certificates (self-signed certificates) for devices connecting to a single trusted endpoint, thus removing uncertainties associated with public CAs.

Change #1: updating Symantec Server ICA

To enable customers to utilize the latest security features by default, we will switch AWS IoT Core – control plane endpoints and newly created customer endpoints to TLS1.2 and we will have a new server certificate that is based on the VeriSign Class 3 Public Primary Certification Authority – G5. Additionally, for backwards compatibility reasons, we are leaving all existing customer endpoints at their current TLS version and settings. We recommend customers migrate existing customer endpoints to TLS1.2 or TLS 1.3 at their own convenience via AWS IoT Core configurable endpoint feature.

Update of Symantec Server ICA (Intermediate Certificate Authority)

Current Symantec Server ICA expires on 31st October 2023 and a renewed Symantec Server ICA will be used to issue all Symantec Server-side certificates.

Server certificate chain of trust (Symantec)

Figure 1.0

This change is only for data-plane and applies only to Symantec endpoints. Customers using Amazon Trust Services (ATS) endpoints won’t be affected. AWS recommends that you don’t use certificate pinning because it introduces an availability risk. However, if your use case requires certificate pinning, AWS recommends that you pin to an ATS signed Amazon Root CA 1 or Amazon Root CA 3 instead of an intermediate CA or leaf certificate. Your devices can continue to connect to AWS IoT Core if you had originally pinned to Symantec Root CA (VeriSign Class 3 Public Primary Certification Authority – G5).

Actions / recommendations:

Current Symantec Server Intermediate Certificate Authority (ICA) certificate expires on 31st Oct and we are slowly rolling out a new server ICA certificate that is based on the VeriSign Class 3 Public Primary Certification Authority – G5. AWS is carefully monitoring the process and as we detect incompatible devices, we will reach out to our customers. Should you notice changed device behavior or inability of your device to communicate with AWS IoT Core, please contact customer support or your Technical Account Manager (TAM).
We strongly suggest removing any hard-coded association to these distrusted Symantec Server ICA certificates and use publicly trusted Root CA (such as ATS signed Amazon Root CA 1 or Amazon Root CA 3), to ensure your applications remain secure and compatible.
Use Amazon Trust Services (ATS) endpoints and update firmware to verify full certificate chains against the ATS Root from here. Put at least Amazon Root CA 1 and Amazon Root CA 3 in the device. Put all five in the store for maximum future compatibility if you have device capacity.
If you have pinned to the Symantec Server Intermediate Certificate Authority (ICA) certificate and experience a connection failure after an update, please update your firmware to verify full certificate chains against the Symantec Root CA (VeriSign Class 3 Public Primary Certification Authority – G5). You can find this certificate here.
Use custom domain and configurable endpoints.
- Configurable endpoints allow you to control the TLS policy applied to your devices, and again, this can be done incrementally by creating an endpoint with new policy, and moving devices to it when they are ready.
It is recommended to have two separate endpoints: one for mobile apps using Public CA, and another specifically for devices using a private CA (or self-signed) certificate, and be fully aware of your TLS security policies.
Do not limit certificate size on the client-side. Public CAs require server certificates to be renewed regularly. The addition of OCSP responder URLs and other options can increase the size of a server certificate over time. We recommend adding sufficient buffer to handle future server certificates. You can verify your device’s compatibility with large server certificates via AWS IoT Core Device Advisor.

Using Amazon Trust Services (ATS) signed Root CA

Here are steps to update your devices to use an ATS signed Root CA:

Identify the Root CA that your devices are currently using. You can do this by looking at the server certificate chain presented when your devices connect to AWS IoT Core.
Download the ATS signed Root CA from the AWS IoT documentation.
Install the ATS signed Root CA in the trust store for your devices. The specific steps for doing this will vary depending on the type of device you are using.
Test your devices to make sure that they can connect to AWS IoT Core using the ATS signed Root CA.

Change #2: updating the TLS configuration

As part of our continued commitment to security, we are pleased to announce that AWS IoT Core – control plane endpoints and newly created customer endpoints will now default to TLS 1.2 or above specifications. This upgrade ensures that you benefit from the latest security standards and enhancements in the industry. We also want to bring to attention that AWS will be updating the TLS configuration for all AWS service API endpoints to a minimum of version TLS 1.2.

Actions / recommendations

Control plane endpoints: If you are using TLS 1.0/1.1 then you will need to start using TLS 1.2 or higher for these connections.
Data plane endpoints: Devices connecting to AWS IoT Core using TLS 1.0 / 1.1 will continue to operate as normal, but we suggest updating these devices to support minimum version of TLS 1.2 for security future-proofing purposes.

Migrating your endpoints

To facilitate a seamless migration, we have introduced configurable endpoints that enable you to transition your existing customer endpoints to TLS 1.2 or TLS 1.3 at your convenience. This flexibility allows you to tailor the migration process according to your specific requirements and schedule. You can follow detailed instructions in our earlier blog post.

Setup custom domains and configurable endpoints

To setup custom domains and configurable endpoints in AWS IoT Core to have greater control over your server certificates and manage the behaviors of your data endpoints. You can follow detailed instructions in our earlier blog post. Remember to always test your configurations thoroughly before deploying them in production environments.

Conclusion

In this blog post, we discussed two important announcements that will help future-proof your IoT deployments.

We bid farewell to Symantec Server ICA certificates, acknowledging their past service, while also recognizing the need for stronger security measures with our recommendation to use ATS signed certificates and ATS endpoints. By migrating to modern SSL/TLS server certificates from trusted Certificate Authorities (CAs) such as ATS, you can fortify your applications against advanced cyber threats and ensure compatibility with the latest browsers and devices.

Secondly, we embraced the latest TLS 1.2 standards as default, transitioning away from TLS 1.0/1.1 and defaulting to TLS 1.2 onwards for AWS IoT Core’s control plane and newly created customer endpoints.

Finally, we suggest to take advantage of custom domains and configurable endpoints, giving you greater control over your server certificates and managing the behaviors of your data endpoints.

Frequently Asked Questions

Q1: How do I know if I’m affected?

A: If you are using ATS Server certificate there are no changes. For Symantec Server certificate, verify that your device’s TLS implementation does not pin the ICA, in which case you’re good. We can’t give generic instructions on how to do this, but one thing we could potentially suggest is to look at all the certificates baked into your device code, and see if there’s one that expires in 2023. Or you could confirm the baked in certs are Amazon Root CA 1 and Amazon Root CA 3 for ATS and Symantec VeriSign Class 3 Public Primary Certification Authority – G5.

Q2: What if I notice a change in device communication behavior with AWS IoT Core?

A: Should you notice changed device behavior or inability of your device to communicate with AWS IoT Core, please contact customer support or your Technical Account Manager (TAM).

Where can I get help?

If you have questions, contact AWS Support or your technical account manager (TAM), or start a new thread on the AWS re:Post AWS IoT Forum.

Learn More

To learn more about the benefits of TLS 1.2 and TLS 1.3 support in AWS IoT Core and how to make the transition, we invite you to visit our documentation:

AWS IoT Core – control plane endpoints: Link
AWS IoT Core – data plane endpoints: Link
Configurable endpoint feature: Link
TLS 1.2 for all AWS API endpoints: Link
AWS IoT Core transport security: Link
Issuing and managing certificates: Link
Preparing for AWS Certificate Authority: Link
Migrating device fleets to AWS IoT Custom Domains: Link
AWS IoT ECC Support: Link
How AWS IoT Core is Helping Customers Navigate the Upcoming Distrust of Symantec Certificate Authorities: Link
DigiCert Root certificates: External Link

About the Author

Syed Rehan is a Sr. IoT Cybersecurity Specialist at Amazon Web Services (AWS), based in London and working within the AWS IoT Core Security Foundations team. He serves a global customer base, collaborating with security specialists, developers, and security decision-makers to promote the adoption of AWS IoT services. Possessing in-depth knowledge of cybersecurity, IoT, and cloud technologies, Syed assists customers ranging from startups to large enterprises, enabling them to construct secure IoT solutions within the AWS ecosystem.