AWS IOT devices and CA certificate


AWS IOT identifies and secures devices by putting an x509 certificate in each one.
I’d like to use this procedure with assigning certificates to AWS IOT devices.

I tried using a LetEncrypt certificate to do this, but it fails with this error…

An error occurred (CertificateValidationException) when calling the RegisterCACertificate operation: CA certificate is not valid. The CA certificate does not have the basicConstraints extension as true

This is complaining that the LetsEncrypt certificate lacks, basicConstraints = CA:TRUE, right?

So what are my options? Paying a small fortune for certificates is not practical, the devices are too cheap (~$10 retail). Is my only option a self signed CA?

Is there any real downside to using a self-signed CA for this? I need to be the CA since I need to control the certificates as they are issued. If anyone can make, they can clone the devices. I don’t mind if they get cloned, I just don’t want to be paying for the cloud services of some other company’s devices.

Another solution would be to get thousand of trust signed certificates and load them into both Amazon and the devices. AWS also supports doing it that way. This scheme is harder to keep track of since I have to explicitly list every valid certificate at Amazon.


Your own CA is completely appropriate here. The purpose of these certificates is to prove to AWS IOT that these are your devices, not somebody else’s. So Amazon have a procedure in place for you to prove this is your CA and then everything just works.

Let’s Encrypt has no role in this short of thing. Just follow Amazon’s instructions to Do It Yourself.

Big companies (or those with too much money) could pay a famous CA company to help them, but it’s like paying the Royal Mint to help make your chocolate coins for Xmas. It’s not necessary and might not even really help.


@tialaramex, this is my new favorite analogy for this topic and I hope to remember it and use it in other threads!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.