Custom IoT Endpoint

When using the Android SDK for establishing IOT connections, the CreateKeysAndCertificateRequest API is available through the AWSIotClient class. If you are using the AWSIotClient for creating new certs/keys, the SDK places this request on the generic iot..amazonaws.com endpoint. The setEndpoint method just allows you to change the region. This is because the request goes to the Control plane, whereas the endpoint that you have created would mostly likely be on the Data plane. There is no way around to create new certs/keys using the AWSIotClient on the custom endpoint.

Custom IoT Endpoint

When using the Android SDK for establishing IOT connections, the CreateKeysAndCertificateRequest API is available through the AWSIotClient class. If you are using the AWSIotClient for creating new certs/keys, the SDK places this request on the generic iot.<region>.amazonaws.com endpoint. The setEndpoint the method just allows you to change the region. This is because the request goes to the Control plane, whereas the endpoint that you have created would most likely be on the Data plane. There is no way around creating new certs/keys using the AWSIotClient custom endpoint.

There is an alternate option that you can make use of. Almost all "requests" that you place on the IOT endpoint are messages that are published to "reserved topics". If you open up the Java SDK's PublishCreateKeysAndCertificate API, you will see that it is ultimately publishing a message over a reserved topic. You can do something similar on Android using the Android SDK as well.

First, you will have to establish an authenticated connection. We cannot use CognitoCredentialsProvider it because of that auth request going to the Control Plane. Instead, you can use the provisioning certificates for first-time authentication. This is through provision certificates generated for a Provisioning Fleet. You can create a Provisioning Fleet and use those certificates in your device's Keystore (or, a PKCS12 cert file). Using that, you can create a new awsIotMqttManager object and publish a message on the reserved topic meant for creating new certs/keys. You can also subscribe to reserved topics meant for receiving the "accepted"/"rejected" responses for this request.

TL;DR

  • Create an awsIotMqttManager using the provision certs
  • Subscribe to the topic for listening for accepted/rejected responses for CreateKeysAndCertificates request
  • Publish a message over the reserved topic meant for CreateKeysAndCertificates
  • Register the thing using the ownershipToken received in the response
  • Store the new certs and use them for all future connections (make sure the policy attached to the certs have the necessary permissions)