By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use IoT certificates for API Gateway mTLS

0

I have many things in IoT Core, each one with its own client certificate issued by AWS CA. Now I want the device to make a request to a REST API and I want to protect the API with mutual TLS authentication. Is it possible to use the same client certificate used in IoT Core and issued by AWS for the API request? I can't understand how this could be possible.

In IoT Core there's the full list of client certificates, however in API Gateway mTLS only a truststore (root and intermediate CAs) is needed.

So the first question. What is the certificate chain of IoT certificates? Could I download the truststore of IoT client certificates? I couldn't find it, only root CA for the server IoT Core authentication.

Second question. Even if I was able to download the CA chain of IoT client certificates, the API wouldn't be secure enough. Another AWS account could generate a certificate for one IoT device and could use it to access my API. If the issuer CA of client certificates was the same for all the accounts (maybe in the same region), that certificate could access my API.

Why can't I upload the list of client certificates for mTLS API as in IoT Core? What's the best approach to allow an IoT device access an API with mTLS? Should I have two certificates and private keys in the device, one for IoT Core and one for API?

I think one solution is to have own root CA that issues certificates for IoT Core connection and API Gatewat connection. Because I already have around 1000 devices and certificates issued by AWS, what happens to them if I decide to use my own root CA to issue new IoT client certificates?

Topics
Internet of Things (IoT)ServerlessFront-End Web & MobileNetworking & Content Delivery
Tags
AWS IoT CoreAmazon API GatewayInternet of Things (IoT)
Language
English
pozz
asked 3 months ago253 views
1 Answer
0

What is the certificate chain of IoT certificates? Could I download the truststore of IoT client certificates?

No you can't. The CA used to issue device certificates using AWS IoT is ephemeral. Once the device certificate is registered in AWS IoT Core, the CA is no longer needed or used.

I think one solution is to have own root CA that issues certificates for IoT Core connection and API Gatewat connection.

Right.

Because I already have around 1000 devices and certificates issued by AWS, what happens to them if I decide to use my own root CA to issue new IoT client certificates?

Those 1000 devices will still be able to connect to AWS IoT Core, so long as those certificates are still in the AWS IoT Core registry. You would need to rotate the certificates on those devices if you want to connect to API gateway using mTLS.

https://aws.amazon.com/blogs/iot/how-to-manage-iot-device-certificate-rotation-using-aws-iot/

What's the best approach to allow an IoT device access an API with mTLS? Should I have two certificates and private keys in the device, one for IoT Core and one for API?

You might instead consider to make use of the AWS IoT credential provider, and access the API using IAM: https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html. A single certificate and key granting you access.

profile pictureAWS
EXPERT
Greg_B
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content