I'm using AWS CloudFormation to create an IoT Thing
, Policy
and Certificate
. My stack creates successfully, however, I can't access the certificate file that CloudFormation creates.
Looking at the aws docs here the only output you can get from the certificate via CloudFormation is the ARN
and the Certificate ID
. However, there is no way to retrieve your certificate using the ARN
or Certificate ID
that I can see.
If you upload your certificate signing request (CSR) via the AWS IoT Console, it displays a download link that you can get your certificate file.
Unfortunately I need to use CloudFormation to create the IoT Certificate
. However it looks like you can download the certificate after it's been created. Specifically it states:
Certificates can be retrieved at any time
I have been unsuccessfully scouring the docs and web interface to figure out how I can download my certificate "at any time". I'm relatively new to the whole world of certs and private keys so hopefully I missed something easy.
Does anyone know if it is possible to get your certificate from an IoT Certificate
created by CloudFormation?
Certificates created using CloudFormation (Via a CSR) can be retrieved via the following ways
Aws IoT webpage
Just navigate to Security - Certificates, click on ...
and select Download.
AWS CLI
As you mention the CLI is also an option
aws iot describe-certificate --certificate-id fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3
Will return
{
"certificateDescription": {
"certificateArn": "arn:aws:iot:eu-central-1:xxxxxx",
"status": "ACTIVE",
"certificateId": "fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3",
"lastModifiedDate": 1519840881.49,
"certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDsTCCApmg.....VsAzFQ==\n-----END CERTIFICATE-----\n",
"transferData": {},
"ownedBy": "123456789",
"creationDate": 1519840820.888
}
Amazon IoT SDK
Can also be used to retrieve the certificate content (PEM format) as a String based on a certificate ID (that you can output via cloudformation)
import com.amazonaws.services.iot.AWSIot;
import com.amazonaws.services.iot.AWSIotClientBuilder;
import com.amazonaws.services.iot.model.DescribeCertificateRequest;
import com.amazonaws.services.iot.model.DescribeCertificateResult;
DescribeCertificateRequest describeCertificateRequest = new DescribeCertificateRequest();
describeCertificateRequest.setCertificateId("fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3");
DescribeCertificateResult describeCertificateResult = awsIot.describeCertificate(describeCertificateRequest);
describeCertificateResult.getCertificateDescription().getCertificatePem();
AFAIK it is not possible to output it as a variable within a cloudformation template.