Creates an X.509 certificate using the specified certificate signing request.
Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256, NIST P-384, or NIST P-512 curves. For supported certificates, consult Certificate signing algorithms supported by IoT .
Note: Reusing the same certificate signing request (CSR) results in a distinct certificate.
Requires permission to access the CreateCertificateFromCsr action.
You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs.
Assuming a set of CSRs are located inside of the directory my-csr-directory:
On Linux and OS X, the command is:
$ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}
This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr Amazon Web Services CLI command to create a certificate for the corresponding CSR.
The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process:
$ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}
On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:
> ls -Name my-csr-directory | %{aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/$_}
On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:
> forfiles /p my-csr-directory /c “cmd /c aws iot create-certificate-from-csr –certificate-signing-request file://@path”
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
create-certificate-from-csr
--certificate-signing-request <value>
[--set-as-active | --no-set-as-active]
[--certificate-pem-outfile <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--certificate-signing-request
(string)
The certificate signing request (CSR).
--set-as-active
| --no-set-as-active
(boolean)
Specifies whether the certificate is active.
--certificate-pem-outfile
(string)
Saves the command output contents of certificatePem to the given filename
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To create a device certificate from a certificate signing request (CSR)
The following create-certificate-from-csr
example creates a device certificate from a CSR. You can use the openssl
command to create a CSR.
aws iot create-certificate-from-csr \
--certificate-signing-request=file://certificate.csr
Output:
{
"certificateArn": "arn:aws:iot:us-west-2:123456789012:cert/c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
"certificateId": "c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
"certificatePem": "<certificate-text>"
}
For more information, see CreateCertificateFromCSR in the AWS IoT API Reference.
certificateArn -> (string)
The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.
certificateId -> (string)
The ID of the certificate. Certificate management operations only take a certificateId.
certificatePem -> (string)
The certificate data, in PEM format.