AWS CLI Command Reference

[ aws . iot ]

create-certificate-from-csr

Description

Creates an X.509 certificate using the specified certificate signing request.

Note: The CSR must include a public key that is either an RSA key with a length of at least 2048 bits or an ECC key from NIST P-256, NIST P-384, or NIST P-512 curves. For supported certificates, consult Certificate signing algorithms supported by IoT .

Note: Reusing the same certificate signing request (CSR) results in a distinct certificate.

Requires permission to access the CreateCertificateFromCsr action.

You can create multiple certificates in a batch by creating a directory, copying multiple .csr files into that directory, and then specifying that directory on the command line. The following commands show how to create a batch of certificates given a batch of CSRs.

Assuming a set of CSRs are located inside of the directory my-csr-directory:

On Linux and OS X, the command is:

$ ls my-csr-directory/ | xargs -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}

This command lists all of the CSRs in my-csr-directory and pipes each CSR file name to the aws iot create-certificate-from-csr Amazon Web Services CLI command to create a certificate for the corresponding CSR.

The aws iot create-certificate-from-csr part of the command can also be run in parallel to speed up the certificate creation process:

$ ls my-csr-directory/ | xargs -P 10 -I {} aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/{}

On Windows PowerShell, the command to create certificates for all CSRs in my-csr-directory is:

> ls -Name my-csr-directory | %{aws iot create-certificate-from-csr –certificate-signing-request file://my-csr-directory/$_}

On a Windows command prompt, the command to create certificates for all CSRs in my-csr-directory is:

> forfiles /p my-csr-directory /c “cmd /c aws iot create-certificate-from-csr –certificate-signing-request file://@path

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.

Synopsis

  create-certificate-from-csr
--certificate-signing-request <value>
[--set-as-active | --no-set-as-active]
[--certificate-pem-outfile <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]

Options

--certificate-signing-request (string)

The certificate signing request (CSR).

--set-as-active | --no-set-as-active (boolean)

Specifies whether the certificate is active.

--certificate-pem-outfile (string) Saves the command output contents of certificatePem to the given filename

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

See ‘aws help’ for descriptions of global parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To create a device certificate from a certificate signing request (CSR)

The following create-certificate-from-csr example creates a device certificate from a CSR. You can use the openssl command to create a CSR.

aws iot create-certificate-from-csr \
    --certificate-signing-request=file://certificate.csr

Output:

{
    "certificateArn": "arn:aws:iot:us-west-2:123456789012:cert/c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
        "certificateId": "c0c57bbc8baaf4631a9a0345c957657f5e710473e3ddbee1428d216d54d53ac9",
        "certificatePem": "<certificate-text>"
}

For more information, see CreateCertificateFromCSR in the AWS IoT API Reference.

Output

certificateArn -> (string)

The Amazon Resource Name (ARN) of the certificate. You can use the ARN as a principal for policy operations.

certificateId -> (string)

The ID of the certificate. Certificate management operations only take a certificateId.

certificatePem -> (string)

The certificate data, in PEM format.

© Copyright 2018, Amazon Web Services. Created using Sphinx.