- 최신
- 최다 투표
- 가장 많은 댓글
Hi, you can see an example of how it's done with CDK here. This is a custom resource construct that creates the cert and key (doc has wrong name but is correct) and stores them in the Systems Manager parameter store. This aligned with both other responder's valid comments.
Normally things and certs, due to the scale, are recommended to be created externally to CloudFormation. Fleet provisioning can help with onboarding devices and credentials.
You can use a Lambda-backed custom resource to create keys and certificate and store them in a location like AWS Secrets Manager.
KR,
Philipp
Thank you, I will try it and update
How to do the same thing with CloudFormation?
You can't. If you could, AWS would have to store the private keys of the certificates you created. With private keys, for security reasons, you only get the chance to save them at the time of creation. This is similar to EC2 keys pairs; they cannot be created from CloudFormation templates. In general, you want your private keys to spend minimal time anywhere except in secure storage on your device.
According to this document the cf template requires "certificatePem" as an input which I want cf output me this certificate.
AWS::IoT::Certificate allows you to register an X.509 certificate with AWS IoT. It offers more than one way to do it.
CertificatePem is not a required property. You can use it if you've created your own certificate from your own PKI and you want to register it. Broadly equivalent to aws iot register-certificate.
CertificateSigningRequest is not a required property either. You can use it to create a certificate from a CSR that you've created from your own private key. Broadly equivalent to aws iot create-certificate-from-csr.
Additional resources:
Thank you!, the sample code is exactly what I am looking for. It works.