Posted On: Mar 4, 2024

Amazon IoT Core, a managed cloud service that lets customers securely connect Internet of Things (IoT) devices to the cloud and manage them at scale, announces support for Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server Certificates using Custom Domains and Configurable Endpoints. The new feature enables customers to add an additional layer of verification to their custom domain's server certificate validity, for example to respond to server certificate revocations more quickly. By including the OCSP response with the certificate during the TLS handshake, it eliminates the need for a separate request from the client to an OCSP server, resulting in faster connection establishment.

OCSP is an industry standard protocol that provides timely updates for the status of certificates. Upon request, it provides a response of the certificate status (i.e. valid, revoked, or unknown). If, from the client's perspective, the OCSP response for a certificate is revoked or unknown, the connection can be terminated by the client to ensure security. To enable OCSP Stapling, customers can navigate to the ‘settings’ section within the Amazon IoT Console and select “Enable server certificate OCSP stapling”. Customers can also use the Domain Configuration APIs to opt into the new feature.

OCSP Stapling for TLS X.509 Server Certificates is available in all commercial Amazon Web Services regions where Amazon IoT Core is present, including Amazon Web Services China (Beijing) region, operated by Sinnet and Amazon Web Services China (Ningxia) region, operated by NWCD. Visit the developer guide to learn more about this feature.