[ aws . iot ]

create-certificate-from-csr

Description

Creates an X.509 certificate using the specified certificate signing request.

Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256, NIST P-384, or NIST P-512 curves. For supported certificates, consult Certificate signing algorithms supported by IoT .

Note: Reusing the same certificate signing request (CSR) results in a distinct certificate.

Requires permission to access the CreateCertificateFromCsr action.

You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs.

Assuming a set of CSRs are located inside of the directory my-csr-directory:

On Linux and OS X, the command is:

$ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}

This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr Amazon Web Services CLI command to create a certificate for the corresponding CSR.

The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process:

$ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}

On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:

> ls -Name my-csr-directory | %{aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/$_}

On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:

> forfiles /p my-csr-directory /c “cmd /c aws iot create-certificate-from-csr –certificate-signing-request file://@path

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  create-certificate-from-csr
--certificate-signing-request <value>
[--set-as-active | --no-set-as-active]
[--certificate-pem-outfile <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--certificate-signing-request (string)

The certificate signing request (CSR).

--set-as-active | --no-set-as-active (boolean)

Specifies whether the certificate is active.

--certificate-pem-outfile (string) Saves the command output contents of certificatePem to the given filename

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See ‘aws help’ for descriptions of global parameters.

Examples

To create a device certificate from a certificate signing request (CSR)

The following create-certificate-from-csr example creates a device certificate from a CSR. You can use the openssl command to create a CSR.

aws iot create-certificate-from-csr \
    --certificate-signing-request=file://certificate.csr

Output:

{
    "certificateArn": "arn:aws:iot:us-west-2:123456789012:cert/c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
        "certificateId": "c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
        "certificatePem": "<certificate-text>"
}

For more information, see CreateCertificateFromCSR in the AWS IoT API Reference.

Output

certificateArn -> (string)

The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

certificateId -> (string)

The ID of the certificate. Certificate management operations only take a certificateId.

certificatePem -> (string)

The certificate data, in PEM format.