CoursesPlacementsTracksArchitectureBlog
Back to Blog
SecurityIoTAWSTLS

Secure IoT: Device Authentication with X.509 Certificates

Shyam Ganesh EJanuary 5, 20262 min read
Secure IoT: Device Authentication with X.509 Certificates

Secure IoT: Device Authentication with X.509 Certificates

Security is not optional in IoT. A single compromised device can expose your entire fleet. This guide covers implementing mutual TLS (mTLS) authentication — the gold standard for IoT device identity.

The Threat Landscape

Common IoT attack vectors:

  1. Spoofing — Fake devices injecting malicious data
  2. Eavesdropping — Intercepting unencrypted sensor data
  3. Man-in-the-Middle — Altering data in transit
  4. Replay attacks — Resending captured valid messages

mTLS addresses all four by ensuring both the client and server prove their identity.

Certificate Hierarchy

[Root CA Certificate]
    └── [Intermediate CA Certificate]
            └── [Device Certificate]
                    └── [Private Key (Never Leaves Device)]

Generating Certificates

Create a Root CA

openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key \
    -sha256 -days 3650 -out rootCA.pem \
    -subj "/CN=IoT Root CA/O=Its Your Turn"

Create a Device Certificate

# Generate device key
openssl genrsa -out device.key 2048

# Create CSR
openssl req -new -key device.key -out device.csr \
    -subj "/CN=sensor-001/O=Its Your Turn"

# Sign with Root CA
openssl x509 -req -in device.csr -CA rootCA.pem \
    -CAkey rootCA.key -CAcreateserial \
    -out device.pem -days 365 -sha256

Embedding in Firmware

const char* root_ca = \
    "-----BEGIN CERTIFICATE-----\n"
    "MIIDQTCCAimgAwIBAgITBm...\n"
    "-----END CERTIFICATE-----\n";

const char* device_cert = \
    "-----BEGIN CERTIFICATE-----\n"
    "MIIDWjCCAkKgAwIBAgIVAM...\n"
    "-----END CERTIFICATE-----\n";

const char* device_key = \
    "-----BEGIN RSA PRIVATE KEY-----\n"
    "MIIEowIBAAKCAQEA2a7Xz...\n"
    "-----END RSA PRIVATE KEY-----\n";

WiFiClientSecure wifiClient;
wifiClient.setCACert(root_ca);
wifiClient.setCertificate(device_cert);
wifiClient.setPrivateKey(device_key);

AWS IoT Core Setup

  1. Register your Root CA with AWS IoT
  2. Enable Just-In-Time Registration (JITR)
  3. Create an IoT Policy with least-privilege permissions
  4. Attach the policy to certificates, not things

Minimal IoT Policy

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": ["iot:Connect"],
        "Resource": "arn:aws:iot:*:*:client/${iot:Connection.Thing.ThingName}"
    }, {
        "Effect": "Allow",
        "Action": ["iot:Publish"],
        "Resource": "arn:aws:iot:*:*:topic/sensors/${iot:Connection.Thing.ThingName}/*"
    }]
}

Certificate Rotation

Certificates expire. Plan for rotation:

  • Short-lived certificates — 90-365 days
  • OTA provisioning — Push new certificates via secure channel
  • Fleet provisioning — Use AWS IoT Fleet Provisioning for factory setup

Learn IoT security in depth in our Industrial IoT Architecture track.

Related Articles

Getting Started with IoT: A Beginner's Roadmap
IoTBeginnerESP32

Getting Started with IoT: A Beginner's Roadmap

A structured guide to entering the world of Internet of Things — from choosing your first microcontroller to deploying your first cloud-connected device.

Feb 10, 20262 min read
Building an Industrial IoT Pipeline with ESP32, MQTT & AWS
IIoTAWSMQTT

Building an Industrial IoT Pipeline with ESP32, MQTT & AWS

A deep dive into building a production-grade IIoT data pipeline — from edge sensors to cloud dashboards using ESP32, MQTT, and AWS IoT Core.

Feb 5, 20262 min read
LoRaWAN Networks for Smart Agriculture
LoRaWANAgricultureIoT

LoRaWAN Networks for Smart Agriculture

How to design and deploy long-range, low-power sensor networks for precision agriculture using LoRaWAN technology.

Jan 10, 20262 min read