Customer Stories / Retail & Wholesale

Amazon Alexa Logo

Amazon Alexa Relies on AWS Private CA for Matter Certificates

Learn how Amazon Alexa managed certificates for smart-home devices using AWS Private CA.

Secure environment

is provided to manage smart-home communications


millions of private certificates at scale

Saves time

by automating manual tasks

Meets industry-unifying standard

for smart-home environments

Provides access

to secure PKI services with reduced infrastructure costs


Amazon Alexa is the virtual assistant technology powered by artificial intelligence and developed by online retailer Amazon. As a pioneer of smart-home technology, Amazon recognizes the compatibility challenges common to device manufacturers and consumers. The company realized that, to provide a delightful customer experience, a standardized communication and control protocol was necessary to streamline compatibility between different devices. Amazon is a founding member and a key contributor to the Matter initiative, an effort managed by the Connectivity Standards Alliance to develop an open standard for device interoperability across smart-home systems with security and privacy as key design tenets.

To implement standardized security requirements for Matter, the Amazon Alexa team needed a flexible way to issue and manage digital certificates. Certificates are critical to identifying smart-home devices and keeping communication channels secure by protecting sensitive information. So, the Amazon Alexa team turned to Amazon Web Services (AWS) and became the first customer to adopt AWS Private Certificate Authority (AWS Private CA), a private certificate authority service, to generate Matter-compliant certificates.

Voice controlled smart speaker. Little kid girl talking to talking to Amazon Alexa Echo Dot. Education programme for child. Boy talking to Alexa and give it orders and commands what to switch on.

Opportunity | Coming into Compliance with the Standards Set by Matter

Amazon Alexa was launched in 2014, and worldwide, there are over 300 million devices connected to Alexa, including Amazon Echo, Echo Dot, Echo Show, and numerous third-party devices. Amazon and other smart-device manufacturers realized that incompatibility between different smart-home environments can create confusion for customers and limit smart-home adoption. Matter was conceived as the solution to create a unified and delightful customer experience. “Matter is a new standard that helps smart-home devices work across different environments,” says Janak Chandarana, principal engineer at Amazon Alexa. “It creates a secure and reliable new standard that can be used across devices.”

For the Amazon Alexa team, ensuring its devices met the Matter standard was a top priority. However, it needed a way to generate and manage millions of private certificates so that multiple smart-home devices could securely communicate with each other. Searching for a certificate service provider that could provide the scale, reliability, and agility necessary to meet Matter standards for certificates, Amazon Alexa turned to AWS. “The AWS team understood our requirements,” says Chandarana. “In just a few months, the team delivered a solution that we can use to obtain security certificates that meet Matter requirements.”


AWS Private Certificate Authority is intuitive, from the console to the APIs. It is very hard to get anything wrong.”

Janak Chandarana
Principal Engineer, Amazon Alexa

Solution | Managing Certificates for Smart-Home Devices

AWS Private CA is a scalable and highly available service for issuing private certificates without the upfront investment and ongoing maintenance costs of operating a certificate authority. Amazon Alexa uses AWS Private CA to generate and manage private certificates for Matter smart-home devices, each of which requires its own unique identity. The solution helps developers access APIs to create and deploy private certificates programmatically, which are compliant with Matter standards. The Amazon Alexa team found it simple to integrate this solution into its smart-device environment. “AWS Private CA is intuitive, from the console to the APIs,” says Chandarana. “It is very hard to get anything wrong.”

To be compliant with Matter, smart-home devices must meet multiple security requirements, including being manufactured with a private key and device attestation certificate for identity. Most importantly, each device must have its own private certificate. Organizations use private certificates to keep connections secure on internal networks and establish a digital identity for devices, like computers, users, servers, virtual private networks, and smart-home devices (see Figure 1. Amazon Alexa’s architecture for generating Matter-compliant certificates). Using AWS Private CA, Amazon Alexa can issue individual certificates at scale without having to operate certain complex security-critical infrastructure; that infrastructure is instead managed by AWS. This frees developers to focus on internal security, application, and business requirements.

The cloud-based public key infrastructure (PKI) provides X.509 certificates to smart-home devices, delivering high availability and strong security. “There are APIs that you can use to configure your PKI, which saves time,” says Chandarana. “These operational tasks are automated by AWS Private CA, which we do not need to worry about.” With the automation of key tasks, Amazon Alexa can save time and reduce manual labor while meeting industry-unifying standards. Additionally, the team can access secure cloud PKI services using AWS Private CA with pay-as-you-go pricing, which helps limit its expenditures.

To comply with Matter, Amazon Alexa also needed to have a certificate signing service that is accessible from different regions. To accomplish this, the company deployed AWS Private CA in multiple AWS Regions, physical locations around the world where AWS clusters data centers. “In terms of trust, we wanted the certificates to have a single common root certificate but have a PKI distributed geographically across different Regions,” says Chandarana. “The AWS team helped us understand how to achieve these goals.”

Architecture Diagram

Figure 1. Amazon Alexa’s architecture for generating Matter-compliant certificates

Click to enlarge for fullscreen viewing. 

Outcome | Continuing to Use AWS Private CA to Meet Open, Unifying Standards

On AWS, Amazon Alexa is meeting open, unifying standards for smart-home devices and furthering seamless, delightful experiences for customers. This solution will provide a way for multiple Amazon and third-party devices to communicate with each other on a local network using secure certificates issued by AWS Private CA.

AWS support was integral to the project’s success so that Amazon Alexa could deliver a solution where both new and existing devices meet the Matter standard. “While we are part of the same company and saw a seamless integration as a result, the AWS team delivers the same level of support for external customers,” says Chandarana. “AWS provides excellent guidance.”

About Amazon Alexa

Amazon Alexa, also known as Alexa, is a virtual assistant technology powered by artificial intelligence. Launched in 2014, Alexa is supported by over 140,000 Amazon smart-home devices.

AWS Services Used

AWS Private Certificate Authority (AWS Private CA)

AWS Private Certificate Authority (AWS Private CA) is a highly available, versatile CA that helps organizations secure their applications and devices using private certificates.

Learn more »

AWS Regions

AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone.

Learn more »

Get Started

Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.