Search code examples
amazon-web-servicescertificateaws-cloudformationaws-iot

How do I download my IoT certificate created via CloudFormation?

I'm using AWS CloudFormation to create an IoT Thing, Policy and Certificate. My stack creates successfully, however, I can't access the certificate file that CloudFormation creates.

Looking at the aws docs here the only output you can get from the certificate via CloudFormation is the ARN and the Certificate ID. However, there is no way to retrieve your certificate using the ARN or Certificate ID that I can see.

If you upload your certificate signing request (CSR) via the AWS IoT Console, it displays a download link that you can get your certificate file.

enter image description here

Unfortunately I need to use CloudFormation to create the IoT Certificate. However it looks like you can download the certificate after it's been created. Specifically it states:

Certificates can be retrieved at any time

I have been unsuccessfully scouring the docs and web interface to figure out how I can download my certificate "at any time". I'm relatively new to the whole world of certs and private keys so hopefully I missed something easy.

Does anyone know if it is possible to get your certificate from an IoT Certificate created by CloudFormation?

Solution

  • Certificates created using CloudFormation (Via a CSR) can be retrieved via the following ways

    Aws IoT webpage

    Just navigate to Security - Certificates, click on ... and select Download.

    enter image description here

    AWS CLI

    As you mention the CLI is also an option

    aws iot describe-certificate --certificate-id fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3

    Will return

    {
    "certificateDescription": {
        "certificateArn": "arn:aws:iot:eu-central-1:xxxxxx", 
        "status": "ACTIVE", 
        "certificateId": "fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3", 
        "lastModifiedDate": 1519840881.49, 
        "certificatePem": "-----BEGIN CERTIFICATE-----\nMIIDsTCCApmg.....VsAzFQ==\n-----END CERTIFICATE-----\n", 
        "transferData": {}, 
        "ownedBy": "123456789", 
        "creationDate": 1519840820.888
    }

    Amazon IoT SDK

    Can also be used to retrieve the certificate content (PEM format) as a String based on a certificate ID (that you can output via cloudformation)

    import com.amazonaws.services.iot.AWSIot;
import com.amazonaws.services.iot.AWSIotClientBuilder;
import com.amazonaws.services.iot.model.DescribeCertificateRequest;
import com.amazonaws.services.iot.model.DescribeCertificateResult;

DescribeCertificateRequest describeCertificateRequest = new DescribeCertificateRequest();
describeCertificateRequest.setCertificateId("fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd371fcd3");
DescribeCertificateResult describeCertificateResult = awsIot.describeCertificate(describeCertificateRequest);
describeCertificateResult.getCertificateDescription().getCertificatePem();

    AFAIK it is not possible to output it as a variable within a cloudformation template.