How to create IoT x509 certificate using CloudFormation?

1

I am trying to create IoT x509 certificate not from AWS Console but using CloudFormation. According to this document the cf template requires "certificatePem" as an input which I want cf output me this certificate.

AWS CLI command

aws iot create-keys-and-certificate \
--set-as-active \
--certificate-pem-outfile esp-certificate.crt \
--public-key-outfile esp-public.key \
--private-key-outfile esp-private.key \
--region ap-southeast-1

How to do the same thing with CloudFormation?

3 Answers
2
Accepted Answer

Hi, you can see an example of how it's done with CDK here. This is a custom resource construct that creates the cert and key (doc has wrong name but is correct) and stores them in the Systems Manager parameter store. This aligned with both other responder's valid comments.

Normally things and certs, due to the scale, are recommended to be created externally to CloudFormation. Fleet provisioning can help with onboarding devices and credentials.

AWS
Gavin_A
answered 2 years ago
2

You can use a Lambda-backed custom resource to create keys and certificate and store them in a location like AWS Secrets Manager.

KR,

Philipp

AWS
EXPERT
answered 2 years ago
  • Thank you, I will try it and update

1

How to do the same thing with CloudFormation?

You can't. If you could, AWS would have to store the private keys of the certificates you created. With private keys, for security reasons, you only get the chance to save them at the time of creation. This is similar to EC2 keys pairs; they cannot be created from CloudFormation templates. In general, you want your private keys to spend minimal time anywhere except in secure storage on your device.

According to this document the cf template requires "certificatePem" as an input which I want cf output me this certificate.

AWS::IoT::Certificate allows you to register an X.509 certificate with AWS IoT. It offers more than one way to do it.

CertificatePem is not a required property. You can use it if you've created your own certificate from your own PKI and you want to register it. Broadly equivalent to aws iot register-certificate.

CertificateSigningRequest is not a required property either. You can use it to create a certificate from a CSR that you've created from your own private key. Broadly equivalent to aws iot create-certificate-from-csr.

Additional resources:

profile pictureAWS
EXPERT
Greg_B
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions