IoT / Client / create_keys_and_certificate



Creates a 2048-bit RSA key pair and issues an X.509 certificate using the issued public key. You can also call CreateKeysAndCertificate over MQTT from a device, for more information, see Provisioning MQTT API.

Note This is the only time IoT issues the private key for this certificate, so it is important to keep it in a secure location.

Requires permission to access the CreateKeysAndCertificate action.

See also: AWS API Documentation

Request Syntax

response = client.create_keys_and_certificate(

setAsActive (boolean) – Specifies whether the certificate is active.

Return type:



Response Syntax

    'certificateArn': 'string',
    'certificateId': 'string',
    'certificatePem': 'string',
    'keyPair': {
        'PublicKey': 'string',
        'PrivateKey': 'string'

Response Structure

  • (dict) –

    The output of the CreateKeysAndCertificate operation.

    • certificateArn (string) –

      The ARN of the certificate.

    • certificateId (string) –

      The ID of the certificate. IoT issues a default subject name for the certificate (for example, IoT Certificate).

    • certificatePem (string) –

      The certificate data, in PEM format.

    • keyPair (dict) –

      The generated key pair.

      • PublicKey (string) –

        The public key.

      • PrivateKey (string) –

        The private key.


  • IoT.Client.exceptions.InvalidRequestException

  • IoT.Client.exceptions.ThrottlingException

  • IoT.Client.exceptions.UnauthorizedException

  • IoT.Client.exceptions.ServiceUnavailableException

  • IoT.Client.exceptions.InternalFailureException