How to create IoT x509 certificate using CloudFormation?

1

I am trying to create IoT x509 certificate not from AWS Console but using CloudFormation. According to this document the cf template requires "certificatePem" as an input which I want cf output me this certificate.

AWS CLI command

aws iot create-keys-and-certificate \
--set-as-active \
--certificate-pem-outfile esp-certificate.crt \
--public-key-outfile esp-public.key \
--private-key-outfile esp-private.key \
--region ap-southeast-1

How to do the same thing with CloudFormation?

hai
preguntada hace 2 años1195 visualizaciones
3 Respuestas
2
Respuesta aceptada

Hi, you can see an example of how it's done with CDK here. This is a custom resource construct that creates the cert and key (doc has wrong name but is correct) and stores them in the Systems Manager parameter store. This aligned with both other responder's valid comments.

Normally things and certs, due to the scale, are recommended to be created externally to CloudFormation. Fleet provisioning can help with onboarding devices and credentials.

AWS
Gavin_A
respondido hace 2 años
  • Thank you!, the sample code is exactly what I am looking for. It works.

2

You can use a Lambda-backed custom resource to create keys and certificate and store them in a location like AWS Secrets Manager.

KR,

Philipp

AWS
EXPERTO
respondido hace 2 años
  • Thank you, I will try it and update

1

How to do the same thing with CloudFormation?

You can't. If you could, AWS would have to store the private keys of the certificates you created. With private keys, for security reasons, you only get the chance to save them at the time of creation. This is similar to EC2 keys pairs; they cannot be created from CloudFormation templates. In general, you want your private keys to spend minimal time anywhere except in secure storage on your device.

According to this document the cf template requires "certificatePem" as an input which I want cf output me this certificate.

AWS::IoT::Certificate allows you to register an X.509 certificate with AWS IoT. It offers more than one way to do it.

CertificatePem is not a required property. You can use it if you've created your own certificate from your own PKI and you want to register it. Broadly equivalent to aws iot register-certificate.

CertificateSigningRequest is not a required property either. You can use it to create a certificate from a CSR that you've created from your own private key. Broadly equivalent to aws iot create-certificate-from-csr.

Additional resources:

profile pictureAWS
EXPERTO
Greg_B
respondido hace 2 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas