# Domain configurations
In AWS IoT Core, you can use domain configurations to configure and manage the behaviors of your data endpoints. With domain configurations, you can generate multiple AWS IoT Core data endpoints, customize them with your own fully qualified domain names (FQDN) and associated server certificates, and also associate a custom authorizer. For more information, see [Custom authentication and authorization](custom-authentication.md).
**Note**
This feature is not available in AWS GovCloud (US) AWS Regions.
**Topics**
+ [
# What is a domain configuration?
](iot-domain-configuration-what-is.md)
+ [
# Creating and configuring AWS managed domains
](iot-custom-endpoints-configurable-aws.md)
+ [
# Creating and configuring customer managed domains
](iot-custom-endpoints-configurable-custom.md)
+ [
# Managing domain configurations
](iot-custom-endpoints-managing.md)
+ [
# Configuring TLS settings in domain configurations
](iot-endpoints-tls-config.md)
+ [
# Server certificate configuration for OCSP stapling
](iot-custom-endpoints-cert-config.md)
# What is a domain configuration?
In AWS IoT Core, a domain configuration refers to the setup and configuration of a domain (either AWS managed domain or customer managed domain) for your AWS IoT Core data endpoints. AWS IoT Core also provides a default endpoint for your AWS account (`iot:Data-ATS`) for devices to communicate with AWS IoT Core.
**Topics**
+ [
## Use cases
](#iot-custom-endpoints-configurable-use-cases)
+ [
## Key concepts
](#iot-domain-configuration-key-concepts)
+ [
## Important notes
](#iot-custom-endpoints-configurable-notes)
## Use cases
You can use domain configurations to simplify tasks like the following.
+ Migrate devices to AWS IoT Core.
+ Support heterogeneous device fleets by maintaining separate domain configurations for separate device types.
+ Maintain brand identity (for example, through domain name) while migrating application infrastructure to AWS IoT Core.
## Key concepts
The following concepts provide details about domain configurations and related concepts.
+ **Domain configuration**
The setup and configuration of a domain for your AWS IoT Core endpoints.
+ **Default endpoint domain**
The domain that AWS IoT provides with the default endpoint such as `iot:Data-ATS`. To find the default endpoint, run the [describe-endpoint](https://docs.aws.amazon.com//cli/latest/reference/iot/describe-endpoint.html) or [describe-domain-configuration](https://docs.aws.amazon.com//cli/latest/reference/iot/describe-domain-configuration.html) CLI command. Alternatively, go to AWS IoT Core console, choose **Domain configurations** from **Connect** on the left navigation. The default endpoint is listed with the name `iot:Data-ATS`.
+ **AWS managed domain**
The domain that AWS will manage. Choosing AWS managed domain means that your devices will connect using a data endpoint provided by AWS. AWS will manage the domain and the certificates.
+ **Customer managed domain**
The domain that you will manage. Also known as custom domain. Choosing customer managed domain means that your devices will connect using a custom domain data endpoint. You will manage the domain and the certificates. Customer managed domain allows you to tailor the endpoint URLs to suit your needs. For example, you can use a custom domain name (`your-domain-name.com`) or apply specific access policies.
+ **Authentication type**
The authentication type that you choose to authenticate your devices when connecting to AWS IoT Core. When creating a domain configuration, you must specify an authentication type. For more information, see [Choosing an authentication type for your device communication](protocols.md#connection-protocol-auth-mode).
+ **Application protocol**
The application layer protocols which your devices use when connecting to AWS IoT Core. When creating a domain configuration, you must specify an application protocol. For more information, see [Choosing an application protocol for your device communication](protocols.md#protocol-selection).
## Important notes
AWS IoT Core uses the [server name indication (SNI) TLS extension](https://www.rfc-editor.org/rfc/rfc3546) to apply domain configurations. When connecting devices to AWS IoT Core, clients can send the [Server Name Indication (SNI) extension](https://tools.ietf.org/html/rfc3546#section-3.1), which is required for features such as [multi-account registration](https://docs.aws.amazon.com//iot/latest/developerguide/x509-client-certs.html#multiple-account-cert), [configurable endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/iot-custom-endpoints-configurable.html), [custom domains](https://docs.aws.amazon.com//iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html), and [VPC endpoints](https://docs.aws.amazon.com//iot/latest/developerguide/IoTCore-VPC.html). They also must pass a server name that is identical to the domain name that you specify in the domain configuration. To test this service, use the v2 version of the [AWS IoT Device SDKs](https://github.com/aws) in GitHub.
If you create multiple data endpoints in your AWS account, they will share AWS IoT Core resources such as MQTT topics, device shadows, and rules.
When you provide the server certificates for AWS IoT Core custom domain configuration, the certificates have a maximum of four domain names. For more information, see [AWS IoT Core endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/iot-core.html#security-limits).
# Creating and configuring AWS managed domains
You create a configurable endpoint on an AWS managed domain by using the [CreateDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_CreateDomainConfiguration.html) API. A domain configuration for an AWS managed domain consists of the following:
+ `domainConfigurationName`
A user-defined name that identifies the domain configuration and the value must be unique to your AWS Region. You can't use domain configuration names that start with `IoT:` because they are reserved for default endpoints.
+ `defaultAuthorizerName` (optional)
The name of the custom authorizer to use on the endpoint.
+ `allowAuthorizerOverride` (optional)
A Boolean value that specifies whether devices can override the default authorizer by specifying a different authorizer in the HTTP header of the request. This value is required if a value for `defaultAuthorizerName` is specified.
+ `serviceType` (optional)
The service type that the endpoint delivers. AWS IoT Core only supports the `DATA` service type. When you specify `DATA`, AWS IoT Core returns an endpoint with an endpoint type of `iot:Data-ATS`. You can't create a configurable `iot:Data` (VeriSign) endpoint.
+ `TlsConfig` (optional)
An object that specifies the TLS configuration for a domain. For more information, see [Configuring TLS settings in domain configurations](iot-endpoints-tls-config.md).
The following example AWS CLI command creates a domain configuration for a `Data` endpoint.
```
aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" --service-type "DATA"
```
The output of the command can look like the following.
```
{
"domainConfigurationName": "myDomainConfigurationName",
"domainConfigurationArn": "arn:aws:iot:us-east-1:123456789012:domainconfiguration/myDomainConfigurationName/itihw"
}
```
# Creating and configuring customer managed domains
Domain configurations let you specify a custom fully qualified domain name (FQDN) to connect to AWS IoT Core. There are many benefits of using customer managed domains (also known as custom domains): you can expose your own domain or your company's own domain to customers for branding purposes; you can easily change your own domain to point to a new broker; you can support multi-tenancy to serve customers with different domains within the same AWS account; and you can manage your own server certificates details, such as the root certificate authority (CA) used to sign the certificate, the signature algorithm, the certificate chain depth, and the lifecycle of the certificate.
The workflow to set up a domain configuration with a custom domain consists of the following three stages.
1. [Registering Server Certificates in AWS Certificate Manager](#iot-custom-endpoints-configurable-custom-register-certificate)
1. [Creating a Domain Configuration](#iot-custom-endpoints-configurable-custom-domain-config)
1. [Creating DNS Records](#iot-custom-endpoints-configurable-custom-dns)
## Registering server certificates in AWS certificate manager
Before you create a domain configuration with a custom domain, you must register your server certificate chain in [AWS Certificate Manager (ACM)](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html). You can use the following three types of server certificates.
+ [ACM Generated Public Certificates](#iot-custom-endpoints-configurable-custom-register-certificate-acm)
+ [External Certificates Signed by a Public CA](#iot-custom-endpoints-configurable-custom-register-certificate-pubext)
+ [External Certificates Signed by a Private CA](#iot-custom-endpoints-configurable-custom-register-certificate-privext)
**Note**
AWS IoT Core considers a certificate to be signed by a public CA if it's included in [Mozilla's trusted ca-bundle](https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt?raw=1).
### Certificate requirements
See [Prerequisites for Importing Certificates](/acm/latest/userguide/import-certificate-prerequisites.html) for the requirements for importing certificates into ACM. In addition to these requirements, AWS IoT Core adds the following requirements.
+ The leaf certificate must include the **Extended Key Usage** x509 v3 extension with a value of **serverAuth** (TLS Web Server Authentication). If you request the certificate from ACM, this extension is automatically added.
+ The maximum certificate chain depth is 5 certificates.
+ The maximum certificate chain size is 16KB.
+ The cryptographic algorithms and key sizes that are supported include RSA 2048 bit (RSA\$12048) and ECDSA 256 bit (EC\$1prime256v1).
### Using one certificate for multiple domains
If you plan to use one certificate to cover multiple subdomains, use a wildcard domain in the common name (CN) or Subject Alternative Names (SAN) field. For example, use **\$1.iot.example.com** to cover dev.iot.example.com, qa.iot.example.com, and prod.iot.example.com. Each FQDN requires its own domain configuration, but more than one domain configuration can use the same wildcard value. Either the CN or the SAN must cover the FQDN that you want to use as a custom domain. If SANs are present, the CN is ignored and a SAN must cover the FQDN that you want to use as a custom domain. This coverage can be an exact match or a wildcard match. After a wildcard certificate has been validated and registered to an account, other accounts in the region are blocked from creating custom domains that overlap with the certificate.
The following sections describe how to get each type of certificate. Every certificate resource requires an Amazon Resource Name (ARN) registered with ACM that you use when you create your domain configuration.
### ACM-generated public certificates
You can generate a public certificate for your custom domain by using the [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) API. When you generate a certificate in this way, ACM validates your ownership of the custom domain. For more information, see [Request a Public Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html) in the *AWS Certificate Manager User Guide*.
### External certificates signed by a public CA
If you already have a server certificate that is signed by a public CA (a CA that is included in Mozilla's trusted ca-bundle), you can import the certificate chain directly into ACM by using the [ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html) API. To learn more about this task and the prerequisites and certificate format requirements, see [Importing Certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html).
### External certificates signed by a private CA
If you already have a server certificate that is signed by a private CA or self-signed, you can use the certificate to create your domain configuration, but you also must create an extra public certificate in ACM to validate ownership of your domain. To do this, register your server certificate chain in ACM using the [ImportCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_ImportCertificate.html) API. To learn more about this task and the prerequisites and certificate format requirements, see [Importing Certificates](https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html).
### Creating a validation certificate
After you import your certificate to ACM, generate a public certificate for your custom domain by using the [RequestCertificate](https://docs.aws.amazon.com/acm/latest/APIReference/API_RequestCertificate.html) API. When you generate a certificate in this way, ACM validates your ownership of the custom domain. For more information, see [Request a Public Certificate](https://docs.aws.amazon.com/acm/latest/userguide/gs-acm-request-public.html). When you create your domain configuration, use this public certificate as your validation certificate.
## Creating a domain configuration
You create a configurable endpoint on a custom domain by using the [CreateDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_CreateDomainConfiguration.html) API. A domain configuration for a custom domain consists of the following:
+ `domainConfigurationName`
A user-defined name that identifies the domain configuration. Domain configuration names starting with `IoT:` are reserved for default endpoints and can't be used. Also, this value must be unique to your AWS Region.
+ `domainName`
The FQDN that your devices use to connect to AWS IoT Core. AWS IoT Core leverages the server name indication (SNI) TLS extension to apply domain configurations. Devices must use this extension when connecting and pass a server name that is identical to the domain name that is specified in the domain configuration.
+ `serverCertificateArns`
The ARN of the server certificate chain that you registered with ACM. AWS IoT Core currently supports only one server certificate.
+ `validationCertificateArn`
The ARN of the public certificate that you generated in ACM to validate ownership of your custom domain. This argument isn't required if you use a publicly signed or ACM-generated server certificate.
+ `defaultAuthorizerName (optional)`
The name of the custom authorizer to use on the endpoint.
+ `allowAuthorizerOverride`
A Boolean value that specifies whether devices can override the default authorizer by specifying a different authorizer in the HTTP header of the request. This value is required if a value for `defaultAuthorizerName` is specified.
+ `serviceType`
AWS IoT Core currently supports only the `DATA` service type. When you specify `DATA`, AWS IoT returns an endpoint with an endpoint type of `iot:Data-ATS`.
+ `TlsConfig` (optional)
An object that specifies the TLS configuration for a domain. For more information, see [Configuring TLS settings in domain configurations](iot-endpoints-tls-config.md).
+ `serverCertificateConfig` (optional)
An object that specifies the server certificate configuration for a domain. For more information, see [Server certificate configuration for OCSP stapling](iot-custom-endpoints-cert-config.md).
The following AWS CLI command creates a domain configuration for **iot.example.com**.
```
aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" --service-type "DATA"
--domain-name "iot.example.com" --server-certificate-arns serverCertARN --validation-certificate-arn validationCertArn
```
**Note**
After you create your domain configuration, it might take up to 60 minutes until AWS IoT Core serves your custom server certificates.
For more information, see [Managing domain configurations](iot-custom-endpoints-managing.md).
## Creating DNS records
After you register your server certificate chain and create your domain configuration, create a DNS record so that your custom domain points to an AWS IoT domain. This record must point to an AWS IoT endpoint of type `iot:Data-ATS`. You can get your endpoint by using the [DescribeEndpoint](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeEndpoint.html) API.
The following AWS CLI command shows how to get your endpoint.
```
aws iot describe-endpoint --endpoint-type iot:Data-ATS
```
After you get your `iot:Data-ATS` endpoint, create a `CNAME` record from your custom domain to this AWS IoT endpoint. If you create multiple custom domains in the same AWS account, alias them to this same `iot:Data-ATS` endpoint.
## Troubleshooting
If you have trouble connecting devices to a custom domain, make sure that AWS IoT Core has accepted and applied your server certificate. You can verify that AWS IoT Core has accepted your certificate by using either the AWS IoT Core console or the AWS CLI.
To use the AWS IoT Core console, navigate to the **Domain configurations** page and select the domain configuration name. In the **Server certificate details** section, check the status and status details. If the certificate is invalid, replace it in ACM with a certificate that meets the [certificate requirements](#certificate-requirements) listed in the previous section. If the certificate has the same ARN, AWS IoT Core will be pick it up and apply it automatically.
To check the certificate status by using the AWS CLI, call the [DescribeDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeDomainConfiguration.html) API and specify your domain configuration name.
**Note**
If your certificate is invalid, AWS IoT Core will continue to serve the last valid certificate.
You can check which certificate is being served on your endpoint by using the following openssl command.
`openssl s_client -connect custom-domain-name:8883 -showcerts -servername custom-domain-name`
# Managing domain configurations
This topic covers key operations for you to manage your domain configuration resources. You can also manage the lifecycles of existing configurations by using the following APIs: [ListDomainConfigurations](https://docs.aws.amazon.com/iot/latest/apireference/API_ListDomainConfigurations.html), [DescribeDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeDomainConfiguration.html), [UpdateDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_UpdateDomainConfiguration.html), and [DeleteDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_DeleteDomainConfiguration.html).
**Topics**
+ [
## Viewing domain configurations
](#iot-custom-endpoints-managing-view)
+ [
## Updating domain configurations
](#iot-custom-endpoints-managing-update)
+ [
## Deleting domain configurations
](#iot-custom-endpoints-managing-delete)
+ [
## Rotating certificates in custom domains
](#iot-custom-endpoints-managing-certificates)
## Viewing domain configurations
To return a paginated list of all domain configurations in your AWS account, use the [ListDomainConfigurations](https://docs.aws.amazon.com/iot/latest/apireference/API_ListDomainConfigurations.html) API . You can see the details of a particular domain configuration using the [DescribeDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_DescribeDomainConfiguration.html) API. This API takes a single `domainConfigurationName` parameter and returns the details of the specified configuration.
**Example**
## Updating domain configurations
To update the status or the custom authorizer of your domain configuration, use the [UpdateDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_UpdateDomainConfiguration.html) API. You can set the status to `ENABLED` or `DISABLED`. If you disable the domain configuration, devices connected to that domain receive an authentication error. Currently you can't update the server certificate in your domain configuration. To change the certificate of a domain configuration, you must delete and recreate it.
**Example**
## Deleting domain configurations
Before you delete a domain configuration, use the [UpdateDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_UpdateDomainConfiguration.html) API to set the status to `DISABLED`. This helps you avoid accidentally deleting the endpoint. After you disable the domain configuration, delete it by using the [DeleteDomainConfiguration](https://docs.aws.amazon.com/iot/latest/apireference/API_DeleteDomainConfiguration.html) API. You must place AWS-managed domains in `DISABLED` status for 7 days before you can delete them. You can place custom domains in `DISABLED` status and then delete them at once.
**Example**
After you delete a domain configuration, AWS IoT Core no longer serves the server certificate associated with that custom domain.
## Rotating certificates in custom domains
You may need to periodically replace your server certificate with an updated certificate. The rate at which you do this depends on the validity period of your certificate. If you generated your server certificate by using AWS Certificate Manager (ACM), you can set the certificate to renew automatically. When ACM renews your certificate, AWS IoT Core automatically picks up the new certificate. You don't have to perform any additional action. If you imported your server certificate from a different source, you can rotate it by reimporting it to ACM. For information about reimporting certificates, see [Reimport a certificate](https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html).
**Note**
AWS IoT Core only picks up certificate updates under the following conditions.
The new certificate has the same ARN as the old one.
The new certificate has the same signing algorithm, common name, or subject alternative name as the old one.
# Configuring TLS settings in domain configurations
AWS IoT Core provides [predefined security polices](transport-security.md#tls-policy-table) for you to customize your Transport Layer Security (TLS) settings for [TLS 1.2](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.2) and [TLS 1.3](https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.3) in domain configurations. A security policy is a combination of TLS protocols and their ciphers that determine the supported protocols and ciphers during TLS negotiations between a client and a server. With the supported security policies, you can manage your devices' TLS settings with more flexibility, apply the most up-to-date security measures when connecting new devices, and maintain consistent TLS configurations for existing devices.
The following table describes the security policies, their TLS versions, and supported regions:
****
| Security policy name | Supported AWS Regions |
| --- | --- |
| IoTSecurityPolicy\$1TLS13\$11\$13\$12022\$110 | All AWS Regions |
| IoTSecurityPolicy\$1TLS13\$11\$12\$12022\$110 | All AWS Regions |
| IoTSecurityPolicy\$1TLS12\$11\$12\$12022\$110 | All AWS Regions |
| IoTSecurityPolicy\$1TLS12\$11\$10\$12016\$101 | ap-east-1, ap-northeast-2, ap-south-1, ap-southeast-2, ca-central-1, cn-north-1, cn-northwest-1, eu-north-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-west-1 |
| IoTSecurityPolicy\$1TLS12\$11\$10\$12015\$101 | ap-northeast-1, ap-southeast-1, eu-central-1, eu-west-1, us-east-1, us-west-2 |
The names of the security policies in AWS IoT Core include version information based on the year and month that they were released. If you create a new domain configuration, the security policy will default to `IoTSecurityPolicy_TLS13_1_2_2022_10`. For a complete table of security policies with details of protocols, TCP ports, and ciphers, see [Security polices](transport-security.md#tls-policy-table). AWS IoT Core doesn't support custom security policies. For more information, see [Transport security in AWS IoT Core](transport-security.md).
To configure TLS settings in domain configurations, you can use the AWS IoT console or the AWS CLI.
**Topics**
+ [
## Configure TLS settings in domain configurations (console)
](#custom-tls-console)
+ [
## Configure TLS settings in domain configurations (CLI)
](#custom-tls-cli)
## Configure TLS settings in domain configurations (console)
**To configure TLS settings using the AWS IoT console**
1. Sign in to the AWS Management Console and open the [AWS IoT console](https://console.aws.amazon.com/iot/home).
1. To configure TLS settings when you create a new domain configuration, follow these steps.
1. In the left navigation pane, choose **Domain configurations**, and then choose **Create domain configuration**.
1. In the **Create domain configuration** page, in the **Custom domain settings - *optional*** section, choose a security policy from **Select security policy**.
1. Follow the widget and complete the rest of the steps. Choose **Create domain configuration**.
1. To update TLS settings in an existing domain configuration, follow these steps.
1. In the left navigation pane, choose **Domain configurations**, and then choose a domain configuration.
1. In the **Domain configuration details** page, choose **Edit**. Then, in the **Custom domain settings - *optional*** section, under **Select security policy**, choose a security policy.
1. Choose **Update domain configuration**.
For more information, see [Create a domain configuration](https://docs.aws.amazon.com//iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html#iot-custom-endpoints-configurable-custom-domain-config) and [Manage domain configurations](iot-custom-endpoints-managing.md).
## Configure TLS settings in domain configurations (CLI)
You can use the [https://docs.aws.amazon.com//cli/latest/reference/iot/create-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/create-domain-configuration.html) and [https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html) CLI commands to configure your TLS settings in domain configurations.
1. To specify TLS settings using the [https://docs.aws.amazon.com//cli/latest/reference/iot/create-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/create-domain-configuration.html) CLI command:
```
aws iot create-domain-configuration \
--domain-configuration-name domainConfigurationName \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10
```
The output of this command can look like the following:
```
{
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
}
```
If you create a new domain configuration without specifying the security policy, the value will default to: `IoTSecurityPolicy_TLS13_1_2_2022_10`.
1. To describe TLS settings using the [https://docs.aws.amazon.com//cli/latest/reference/iot/describe-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/describe-domain-configuration.html) CLI command:
```
aws iot describe-domain-configuration \
--domain-configuration-name domainConfigurationName
```
This command can return the domain configuration details that include the TLS settings like the following:
```
{
"tlsConfig": {
"securityPolicy": "IoTSecurityPolicy_TLS13_1_2_2022_10"
},
"domainConfigurationStatus": "ENABLED",
"serviceType": "DATA",
"domainType": "AWS_MANAGED",
"domainName": "d1234567890abcdefghij-ats.iot.us-west-2.amazonaws.com",
"serverCertificates": [],
"lastStatusChangeDate": 1678750928.997,
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
}
```
1. To update TLS settings using the [https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html) CLI command:
```
aws iot update-domain-configuration \
--domain-configuration-name domainConfigurationName \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10
```
The output of this command can look like the following:
```
{
"domainConfigurationName": "test",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9"
}
```
1. To update the TLS settings for your ATS endpoint, run the [https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html](https://docs.aws.amazon.com//cli/latest/reference/iot/update-domain-configuration.html) CLI command. The domain configuration name for your ATS endpoint is `iot:Data-ATS`.
```
aws iot update-domain-configuration \
--domain-configuration-name "iot:Data-ATS" \
--tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10
```
The output of the command can look like the following:
```
{
"domainConfigurationName": "iot:Data-ATS",
"domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/iot:Data-ATS"
}
```
For more information, see [CreateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_CreateDomainConfiguration.html) and [UpdateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_UpdateDomainConfiguration.html) in the *AWS API Reference*.
# Server certificate configuration for OCSP stapling
AWS IoT Core supports [Online Certificate Status Protocol (OCSP)](https://www.rfc-editor.org/rfc/rfc6960.html) stapling for server certificate, also known as server certificate OCSP stapling, or OCSP stapling. It is a security mechanism used to check the revocation status on the server certificate in a Transport Layer Security (TLS) handshake. OCSP stapling in AWS IoT Core lets you add an additional layer of verification to your custom domain's server certificate validity.
You can enable server certificate OCSP stapling in AWS IoT Core to check the validity of the certificate by querying the OCSP responder periodically. The OCSP stapling setting is part of the process to create or update a domain configuration with a custom domain. OCSP stapling checks for revocation status on the server certificate continuously. This helps verify that any certificates that have been revoked by the CA are no longer trusted by the clients connecting to your custom domains. For more information, see [Enabling server certificate OCSP in AWS IoT Core](#iot-custom-endpoints-cert-config-ocsp-manage).
Server certificate OCSP stapling provides real-time revocation status check, reduces the latency associated with checking the revocation status, and improves privacy and reliability of secure connections. For more information about the benefits of using OCSP stapling, see [Benefits of using OCSP stapling compared to client-side OCSP checks](#iot-custom-endpoints-ocsp-stapling-benefits).
**Note**
This feature is not available in AWS GovCloud (US) Regions.
**Topics**
+ [
## What is OCSP?
](#iot-custom-endpoints-cert-config-ocsp-what-is)
+ [
## How OCSP stapling works
](#iot-custom-endpoints-cert-config-ocsp-stapling-what-is)
+ [
## Enabling server certificate OCSP in AWS IoT Core
](#iot-custom-endpoints-cert-config-ocsp-manage)
+ [
## Configuring server certificate OCSP for private endpoints in AWS IoT Core
](#iot-custom-endpoints-cert-config-ocsp-private-endpoint)
+ [
## Important notes for using server certificate OCSP stapling in AWS IoT Core
](#iot-custom-endpoints-cert-config-ocsp-notes)
+ [
## Troubleshooting server certificate OCSP stapling in AWS IoT Core
](#iot-custom-endpoints-cert-config-ocsp-troubleshooting)
## What is OCSP?
The Online Certificate Status Protocol (OCSP) aids in providing a server certificate's revocation status for a Transport Layer Security (TLS) handshake.
### Key concepts
The following key concepts provide details about the Online Certificate Status Protocol (OCSP).
**OCSP**
[OCSP](https://www.rfc-editor.org/rfc/rfc6960.html) is used to check the certificate revocation status during the Transport Layer Security (TLS) handshake. OCSP allows for real-time validation of certificates. This confirms that the certificate hasn't been revoked or expired since it was issued. OCSP is also more scalable compared with traditional Certificate Revocation Lists (CRLs). OCSP responses are smaller and can be efficiently generated, making them more suitable for large-scale Private Key Infrastructures (PKIs).
**OCSP responder**
An OCSP responder (also known as OCSP server) receives and responds to OCSP requests from clients that seek to verify the revocation status of certificates.
**Client-side OCSP**
In client-side OCSP, the client uses OCSP to contact an OCSP responder to check the certificate's revocation status during the TLS handshake.
**Server-side OCSP**
In server-side OCSP (also known as OCSP stapling), the server is enabled (rather than the client) to make the request to the OCSP responder. The server staples the OCSP response to the certificate and returns it to the client during the TLS handshake.
### OCSP diagrams
The following diagram illustrates how client-side OCSP and server-side OCSP work.
![\[Client-side OCSP and server-side OCSP diagrams\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/custom-domain-ocsp-uml.png)
**Client-side OCSP**
1. The client sends a `ClientHello` message to initiate the TLS handshake with the server.
1. The server receives the message and responds with a `ServerHello` message. The server also sends the server certificate to the client.
1. The client validates the server certificate and extracts an OCSP URI from it.
1. The client sends a certificate revocation check request to the OCSP responder.
1. The OCSP responder sends an OCSP response.
1. The client validates the certificate status from the OCSP response.
1. The TLS handshake is completed.
**Server-side OCSP**
1. The client sends a `ClientHello` message to initiate the TLS handshake with the server.
1. The server receives the message and gets the latest cached OCSP response. If the cached response is missing or expired, the server will call the OCSP responder for certificate status.
1. The OCSP responder sends an OCSP response to the server.
1. The server sends a `ServerHello` message. The server also sends the server certificate and the certificate status to the client.
1. The client validates the OCSP certificate status.
1. The TLS handshake is completed.
## How OCSP stapling works
OCSP stapling is used during the TLS handshake between the client and the server to check the server certificate revocation status. The server makes the OCSP request to the OCSP responder and staples the OCSP responses to the certificates returned to the client. By having the server make the request to the OCSP responder, the responses can be cached and then used multiple times for many clients.
### How OCSP stapling works in AWS IoT Core
The following diagram shows how server-side OCSP stapling works in AWS IoT Core.
![\[This diagram shows how server-side OCSP stapling works in AWS IoT Core.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/custom-domain-ocsp-core-uml.png)
1. The device needs to be registered with custom domains with OCSP stapling enabled.
1. AWS IoT Core calls OCSP responder every hour to get the certificate status.
1. The OCSP responder receives the request, sends the latest OCSP response, and stores the cached OCSP response.
1. The device sends a `ClientHello` message to initiate the TLS handshake with AWS IoT Core.
1. AWS IoT Core gets the latest OCSP response from the server cache, which responds with an OCSP response of the certificate.
1. The server sends a `ServerHello` message to the device. The server also sends the server certificate and the certificate status to the client.
1. The device validates the OCSP certificate status.
1. The TLS handshake is completed.
### Benefits of using OCSP stapling compared to client-side OCSP checks
A few advantages of using server certificate OCSP stapling include the following:
**Improved privacy**
Without OCSP stapling, the client's device can expose information to third-party OCSP responders, potentially compromising user privacy. OCSP stapling mitigates this issue by having the server obtain the OCSP response and deliver it directly to the client.
**Improved reliability**
OCSP stapling can improve the reliability of secure connections because it reduces the risk of OCSP server outages. When OCSP responses are stapled, the server includes the most recent response with the certificate. This is so that clients have access to the revocation status even if the OCSP responder is temporarily unavailable. OCSP stapling helps mitigate these problems because the server fetches OCSP responses periodically and includes the cached responses in the TLS handshake. This reduces reliance on the real-time availability of OCSP responders.
**Reduced server load**
OCSP stapling offloads the burden of responding to OCSP requests from OCSP responders to the server. This can help distribute the load more evenly, making the certificate validation process more efficient and scalable.
**Reduced latency**
OCSP stapling reduces the latency associated with checking the revocation status of a certificate during the TLS handshake. Instead of the client having to query an OCSP server separately, the server sends the request and attaches the OCSP response with the server certificate during the handshake.
## Enabling server certificate OCSP in AWS IoT Core
To enable server certificate OCSP stapling in AWS IoT Core, create a domain configuration for a custom domain or update an existing custom domain configuration. For general information about creating a domain configuration with a custom domain, see [Creating and configuring customer managed domains](iot-custom-endpoints-configurable-custom.md).
Use the following instructions to enable OCSP server stapling using AWS Management Console or AWS CLI.
### Console
**To enable server certificate OCSP stapling using the AWS IoT console:**
1. In the navigation menu, choose **Settings**, and then choose **Create domain configuration**, or choose an existing domain configuration for a custom domain.
1. If you choose to create a new domain configuration in the previous step, you will see the **Create domain configuration** page. In the **Domain configuration properties** section, choose **Custom domain**. Enter the information to create a domain configuration.
If you choose to update an existing domain configuration for a custom domain, you will see the **Domain configuration details** page. Choose **Edit**.
1. To enable OCSP server stapling, choose **Enable server certificate OCSP stapling** in the **Server certificate configurations** subsection.
1. Choose **Create domain configuration** or **Update domain configuration**.
### AWS CLI
**To enable server certificate OCSP stapling using AWS CLI:**
1. If you create a new domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:
```
aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
--server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
--server-certificate-config "enableOCSPCheck=true|false"
```
1. If you update an existing domain configuration for a custom domain, the command to enable the OCSP server stapling can look like the following:
```
aws iot update-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
--server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
--server-certificate-config "enableOCSPCheck=true|false"
```
For more information, see [CreateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_CreateDomainConfiguration.html) and [UpdateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_UpdateDomainConfiguration.html) from the AWS IoT API Reference.
## Configuring server certificate OCSP for private endpoints in AWS IoT Core
OCSP for private endpoints lets you use your private OCSP resources within your Amazon Virtual Private Cloud (Amazon VPC) for AWS IoT Core operations. The process involves setting up a Lambda function that acts as an OCSP responder. The Lambda function might use your private OCSP resources to craft OCSP responses that AWS IoT Core will use.
### Lambda function
Before you configure server OCSP for a private endpoint, create a Lambda function that acts as a Request for Comments (RFC) 6960-compliant Online Certificate Status Protocol (OCSP) responder, supporting basic OCSP responses. The Lambda function accepts a base64-encoding of the OCSP request in the Distinguished Encoding Rules (DER) format. The Lambda function's response is also a base64-encoded OCSP response in the DER format. The response size must not exceed 4 kilobytes (KiB). The Lambda function must be in the same AWS account and AWS Region as the domain configuration. The following are example Lambda functions.
#### Example Lambda functions
------
#### [ JavaScript ]
```
import * as pkijs from 'pkijs';
console.log('Loading function');
export const handler = async (event, context) => {
const requestBytes = decodeBase64(event);
const ocspRequest = pkijs.OCSPRequest.fromBER(requestBytes);
console.log("Here is a better look at the OCSP request");
console.log(ocspRequest.toJSON());
const ocspResponse = getOcspResponse();
console.log("Here is a better look at the OCSP response");
console.log(ocspResponse.toJSON());
const responseBytes = ocspResponse.toSchema().toBER();
return encodeBase64(responseBytes);
};
function getOcspResponse() {
const responseString = "MIIC/woBAKCCAvgwggL0BgkrBgEFBQcwAQEEggLlMIIC4TCByqFkMGIxJzAlBgNVBAoMHlJpY2hhcmQncyBEaXNjb3VudCBMYW1iZGEgT0NTUDEZMBcGA1UEAwwQcm91bmRhYm91dE5hdGlvbjEPMA0GA1UEBwwGQ2FybWVsMQswCQYDVQQGEwJJThgPMjAyNDA0MjMxODUzMjVaMFEwTzA6MAkGBSsOAwIaBQAEFD2L7Ol/6ieNMaJbwRbxFWFweXGPBBSzSThwzTc3/p5w7WOtPjp3otNtVgIBAYAAGA8yMDI0MDQyMzE4NTMyNVowDQYJKoZIhvcNAQELBQADggIBAJFRyjDAHfazNejo704Ra3FOsGq/+s82R1spDarr3k7Pzkod9jJhwsZ2YgushlS4Npfe4lHCdwFyZR75WXrW55aXFddy03KLz01ZLNYyxkleW3f5dgrUcRU3PMW9TU2gZ0VOV8L5pmxKBoBRFt6EKtyh4CbiuqkTpLdLIMZmTyanhl5GVyU5MBHdbH8YWZoT/DEBiyS7ZsyhKo6igWU/SY7YMSKgwBvFsqSDcOa/hRYQkxWKWJ19gcz8CIkWN7NvfIxCs6VrAdzEJwmE7y3v+jdfhxW9JmI4xStE4K0tAR9vVOOfKs7NvxXj7oc9pCSG60xl96kaEE6PaY1YsfNTsKQ7pyCJ0s7/2q+ieZ4AtNyzw1XBadPzPJNv6E0LvI24yQZqN5wACvtut5prMMRxAHbOy+abLZR58wloFSELtGJ7UD96LFv1GgtC5s+2QlzPc4bEEof7Lo1EISt3j2ibNch8LxhqTQ4ufrbhsMkpSOTFYEJVMJF6aKj/OGXBUUqgc0Jx6jjJXNQd+l5KCY9pQFeb/wVUYC6mYqZOkNNMMJxPbHHbFnqb68yO+g5BE9011N44YXoPVJYoXxBLFX+OpRu9cqPkT9/vlkKd+SYXQknwZ81agKzhf1HsBKabtJwNVMlBKaI8g5UGa7Bxi6ewH3ezdWiERRUK7F56OM53wto/";
const responseBytes = decodeBase64(responseString);
return pkijs.OCSPResponse.fromBER(responseBytes);
}
function decodeBase64(input) {
const binaryString = atob(input);
const byteArray = new Uint8Array(binaryString.length);
for (var i = 0; i < binaryString.length; i++) {
byteArray[i] = binaryString.charCodeAt(i);
}
return byteArray.buffer;
}
function encodeBase64(buffer) {
var binary = '';
const bytes = new Uint8Array( buffer );
const len = bytes.byteLength;
for (var i = 0; i < len; i++) {
binary += String.fromCharCode( bytes[ i ] );
}
return btoa(binary);
}
```
------
#### [ Java ]
```
package com.example.ocsp.responder;
import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.LambdaLogger;
import com.amazonaws.services.lambda.runtime.RequestHandler;
import org.bouncycastle.cert.ocsp.OCSPReq;
import org.bouncycastle.cert.ocsp.OCSPResp;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.Base64;
public class LambdaResponderApplication implements RequestHandler {
@Override
public String handleRequest(final String input, final Context context) {
LambdaLogger logger = context.getLogger();
byte[] decodedInput = Base64.getDecoder().decode(input);
OCSPReq req;
try {
req = new OCSPReq(decodedInput);
} catch (IOException e) {
logger.log("Got an IOException creating the OCSP request: " + e.getMessage());
throw new RuntimeException(e);
}
try {
OCSPResp response = businessLogic.getMyResponse();
String toReturn = Base64.getEncoder().encodeToString(response.getEncoded());
return toReturn;
} catch (Exception e) {
logger.log("Got an exception creating the response: " + e.getMessage());
return "";
}
}
}
```
------
#### Authorizing AWS IoT to invoke your Lambda function
In the process of creating the domain configuration with a Lambda OCSP responder, you must grant AWS IoT permission to invoke the Lambda function after the function is created. To grant the permission, you can use the [add-permission](https://docs.aws.amazon.com//cli/latest/reference/lambda/add-permission.html) CLI command.
**Grant permission to your Lambda function using the AWS CLI**
1. After inserting your values, enter the following command. Note that the `statement-id` value must be unique. Replace `Id-1234` with the exact value you have, otherwise, you might get a `ResourceConflictException` error.
```
aws lambda add-permission \
--function-name "ocsp-function" \
--principal "iot.amazonaws.com" \
--action "lambda:InvokeFunction" \
--statement-id "Id-1234" \
--source-arn arn:aws:iot:us-east-1:123456789012:domainconfiguration//*
--source-account 123456789012
```
IoT domain configuration ARNs will follow the following pattern. The service-generated suffix will not be known prior to creation time, thus you must replace the suffix with a `*`. You can update the permission once the domain configuration has been created and the exact ARN is known.
`arn:aws:iot:use-east-1:123456789012:domainconfiguration/domain-config-name/service-generated-suffix`
1. If the command succeeds, it returns a permission statement, such as this example. You can continue to the next section to configure OCSP stapling for private endpoints.
```
{
"Statement": "{\"Sid\":\"Id-1234\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"iot.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:us-east-1:123456789012:function:ocsp-function\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:iot:us-east-1:123456789012:domainconfiguration/domain-config-name/*\"}}}"
}
```
If the command doesn't succeed, it returns an error, such as this example. You'll need to review and correct the error before you continue.
```
An error occurred (AccessDeniedException) when calling the AddPermission operation: User: arn:aws:iam::57EXAMPLE833:user/EXAMPLE-1 is not authorized to perform: lambda:AddPer
mission on resource: arn:aws:lambda:us-east-1:123456789012:function:ocsp-function
```
### Configuring server OCSP stapling for private endpoints
#### Console
**To configure server certificate OCSP stapling using the AWS IoT console:**
1. From the navigation menu, choose **Settings**, and then choose **Create domain configuration**, or choose an existing domain configuration for a custom domain.
1. If you choose to create a new domain configuration in the previous step, you will see the **Create domain configuration** page. In the **Domain configuration properties** section, choose **Custom domain**. Enter the information to create a domain configuration.
If you choose to update an existing domain configuration for a custom domain, you will see the **Domain configuration details** page. Choose **Edit**.
1. To enable OCSP server stapling, choose **Enable server certificate OCSP stapling** in the **Server certificate configurations** subsection.
1. Choose **Create domain configuration** or **Update domain configuration**.
#### AWS CLI
**To configure server certificate OCSP stapling using AWS CLI:**
1. If you create a new domain configuration for a custom domain, the command to configure server certificate OCSP for private endpoints can look like the following:
```
aws iot create-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
--server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
--server-certificate-config "enableOCSPCheck=true, ocspAuthorizedResponderArn=arn:aws:acm:us-east-1:123456789012:certificate/certificate_ID, ocspLambdaArn=arn:aws:lambda:us-east-1:123456789012:function:my-function"
```
1. If you update an existing domain configuration for a custom domain, the command to configure server certificate OCSP for private endpoints can look like the following:
```
aws iot update-domain-configuration --domain-configuration-name "myDomainConfigurationName" \
--server-certificate-arns arn:aws:iot:us-east-1:123456789012:cert/f8c1e5480266caef0fdb1bf97dc1c82d7ba2d3e2642c5f25f5ba364fc6b79ba3 \
--server-certificate-config "enableOCSPCheck=true, ocspAuthorizedResponderArn=arn:aws:acm:us-east-1:123456789012:certificate/certificate_ID, ocspLambdaArn=arn:aws:lambda:us-east-1:123456789012:function:my-function"
```
**enableOCSPCheck**
This is a Boolean value that indicates whether server OCSP stapling check is enabled or not. To enable server certificate OCSP stapling, this value must be true.
**ocspAuthorizedResponderArn**
This is a string value of the Amazon Resource Name (ARN) for an X.509 certificate stored in AWS Certificate Manager (ACM). If provided, AWS IoT Core will use this certificate to validate the signature of the received OCSP response. If not provided, AWS IoT Core will use the issuing certificate to validate the responses. The certificate must be in the same AWS account and AWS Region as the domain configuration. For more information about how to register your authorized responder certificate, see [Import certificates into AWS Certificate Manager](https://docs.aws.amazon.com//acm/latest/userguide/import-certificate.html).
**ocspLambdaArn**
This is a string value of the Amazon Resource Name (ARN) for a Lambda function that acts as a Request for Comments (RFC) 6960-compliant (OCSP) responder, supporting basic OCSP responses. The Lambda function accepts a base64-encoding of the OCSP request which is encoded using the DER format. The Lambda function's response is also a base64-encoded OCSP response in the DER format. The response size must not exceed 4 kilobytes (KiB). The Lambda function must be in the same AWS account and AWS Region as the domain configuration.
For more information, see [CreateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_CreateDomainConfiguration.html) and [UpdateDomainConfiguration](https://docs.aws.amazon.com//iot/latest/apireference/API_UpdateDomainConfiguration.html) from the AWS IoT API Reference.
## Important notes for using server certificate OCSP stapling in AWS IoT Core
When you use server certificate OCSP in AWS IoT Core, keep the following in mind:
1. AWS IoT Core supports only those OCSP responders that are reachable over public IPv4 addresses.
1. The OCSP stapling feature in AWS IoT Core doesn't support authorized responder. All OCSP responses must be signed by the CA that signed the certificate, and the CA must be part of the certificate chain of the custom domain.
1. The OCSP stapling feature in AWS IoT Core doesn't support custom domains that are created using self-signed certificates.
1. AWS IoT Core calls an OCSP responder every hour and caches the response. If the call to the responder fails, AWS IoT Core will staple the most recent valid response.
1. If `nextUpdateTime` is no longer valid, AWS IoT Core will remove the response from the cache, and TLS handshake will not include the OCSP response data until the next successful call to the OCSP responder. This can happen when the cached response has expired before the server gets a valid response from the OCSP responder. The value of `nextUpdateTime` suggests that the OCSP response will be valid until this time. For more information about `nextUpdateTime`, see [Server certificate OCSP log entries](cwl-format.md#server-ocsp-logs).
1. Sometimes, AWS IoT Core fails to receive the OCSP response or removes the existing OCSP response because it's expired. If situations like these happen, AWS IoT Core will continue to use the server certificate provided by the custom domain without the OCSP response.
1. The size of the OCSP response cannot exceed 4 KiB.
## Troubleshooting server certificate OCSP stapling in AWS IoT Core
AWS IoT Core emits the `RetrieveOCSPStapleData.Success` metric and the `RetrieveOCSPStapleData` log entries to CloudWatch. The metric and the log entries can help detect issues related to retrieving OCSP responses. For more information, see [Server certificate OCSP stapling metrics](metrics_dimensions.md#server-ocsp-metrics) and [Server certificate OCSP log entries](cwl-format.md#server-ocsp-logs).