Claim certificates are X.509 certificates that allow devices to register as AWS IoT things and retrieve a unique X.509 device certificate to use for regular operations. After you create a claim certificate, you attach an AWS IoT policy that allows devices to use it to create unique device certificates and provision with a fleet provisioning template. Devices with the claim certificate can provision using only the provisioning template that you allow in the AWS IoT policy.
In this section, you create the claim certificate and configure it for devices to use with the fleet provisioning template that you created in the previous section.
Important
Provisioning claim private keys should be secured at all times, including on Greengrass core devices. We recommend that you use Amazon CloudWatch metrics and logs to monitor for indications of misuse, such as unauthorized use of the claim certificate to provision devices. If you detect misuse, disable the provisioning claim certificate so that it can't be used for device provisioning. For more information, see Monitoring AWS IoT in the AWS IoT Core Developer Guide.
To help you better manage the number of devices, and which devices, that register themselves in your AWS account, you can specify a pre-provisioning hook when you create a fleet
provisioning template. A pre-provisioning hook is an AWS Lambda function that validates template parameters that devices provide during registration. For example, you might create a pre-provisioning hook that checks a device ID against a database to verify that the device has permission to provision. For more information, see Pre-provisioning hooks in the AWS IoT Core Developer Guide.
To create a provisioning claim certificate and private key
1. Create a folder where you download the claim certificate and private key.
mkdir claim-certs
2. Create and save a certificate and private key to use for provisioning. AWS IoT provides client certificates that are signed by the Amazon Root certificate authority (CA).
Linux or Unix
aws iot create-keys-and-certificate \
--certificate-pem-outfile "claim-certs/claim.pem.crt" \ --public-key-outfile "claim-certs/claim.public.pem.key" \ --private-key-outfile "claim-certs/claim.private.pem.key" \ --set-as-active
Windows Command Prompt (CMD)
aws iot create-keys-and-certificate ^
--certificate-pem-outfile "claim-certs/claim.pem.crt" ^ --public-key-outfile "claim-certs/claim.public.pem.key" ^ --private-key-outfile "claim-certs/claim.private.pem.key" ^ --set-as-active
PowerShell
aws iot create-keys-and-certificate `
--certificate-pem-outfile "claim-certs/claim.pem.crt" ` --public-key-outfile "claim-certs/claim.public.pem.key" ` --private-key-outfile "claim-certs/claim.private.pem.key" ` --set-as-active
Install with fleet provisioning
The response contains information about the certificate, if the request succeeds. Save the certificate's ARN to use later.
3. Create and attach an AWS IoT policy that allows devices to use the certificate to create unique device certificates and provision with the fleet provisioning template. The following policy allows access to the device provisioning MQTT API. For more information, see Device provisioning MQTT API in the AWS IoT Core Developer Guide.
Do the following:
a. Create a file that contains the AWS IoT policy document that Greengrass core devices require.
For example, on a Linux-based system, you can run the following command to use GNU nano to create the file.
nano greengrass-provisioning-claim-iot-policy.json
Copy the following JSON into the file.
• Replace each instance of region with the AWS Region where you set up fleet provisioning.
• Replace each instance of account-id with your AWS account ID.
• Replace each instance of GreengrassFleetProvisioningTemplate with the name of the fleet provisioning template that you created in the previous section.
{ "Version": "2012-10-17", "Statement": [
{
"Effect": "Allow", "Action": "iot:Connect", "Resource": "*"
}, {
"Effect": "Allow", "Action": [
"iot:Publish", "iot:Receive"
],
"Resource": [
"arn:aws:iot:region:account-id:topic/$aws/certificates/create/*",
"arn:aws:iot:region:account-id:topic/$aws/provisioning-templates/GreengrassFleetProvisioningTemplate/provision/*"
] }, {
"Effect": "Allow",
"Action": "iot:Subscribe", "Resource": [
"arn:aws:iot:region:account-id:topicfilter/$aws/certificates/create/*",
"arn:aws:iot:region:account-id:topicfilter/$aws/provisioning-templates/GreengrassFleetProvisioningTemplate/provision/*"
] } ] }
b. Create an AWS IoT policy from the policy document.
• Replace GreengrassProvisioningClaimPolicy with the name of the policy to create.
Install with fleet provisioning
aws iot create-policy name GreengrassProvisioningClaimPolicy --policy-document file://greengrass-provisioning-claim-iot-policy.json
The response looks similar to the following example, if the request succeeds.
{ "policyName": "GreengrassProvisioningClaimPolicy", "policyArn": "arn:aws:iot:us-west-2:123456789012:policy/
GreengrassProvisioningClaimPolicy", "policyDocument": "{
\"Version\": \"2012-10-17\", \"Statement\": [
\"arn:aws:iot:region:account-id:topic/$aws/certificates/create/*\",
\"arn:aws:iot:region:account-id:topic/$aws/provisioning-templates/GreengrassFleetProvisioningTemplate/provision/*\"
\"arn:aws:iot:region:account-id:topicfilter/$aws/certificates/create/*\",
\"arn:aws:iot:region:account-id:topicfilter/$aws/provisioning-templates/GreengrassFleetProvisioningTemplate/provision/*\"
4. Attach the AWS IoT policy to the provisioning claim certificate.
• Replace GreengrassProvisioningClaimPolicy with the name of the policy to attach.
• Replace the target ARN with the ARN of the provisioning claim certificate.
aws iot attach-policy --policy-name GreengrassProvisioningClaimPolicy --target arn:aws:iot:us-west-2:123456789012:cert/
aa0b7958770878eabe251d8a7ddd547f4889c524c9b574ab9fbf65f32248b1d4 The command doesn't have any output if the request succeeds.
You now have a provisioning claim certificate and private key that devices can use to register with AWS IoT and provision themselves as Greengrass core devices. You can embed the claim certificate and private key in devices during manufacturing, or copy the certificate and key to devices before you install the
Install with fleet provisioning
AWS IoT Greengrass Core software. For more information, see Install AWS IoT Greengrass Core software with AWS IoT fleet provisioning (p. 100).