How to update a thing certificate in AWS IoT?

Question

How do I update the certificate of an existing Thing in AWS IoT, assuming I know the thing name and an attribute with the same value? I.e. the thing has name "foo" and attribute "id=foo".

From the limited documentation, I'm assuming I do something like:

• Register the replacement certificate (RegisterCertificate)
• Find the existing thing (ListThings, filtered by attribute)
• Attach the new certificate to the Thing (AttachThingPrincipal?)

• Somehow find the old certificate (is there no better way than ListCertificates and paging)??

• Update the old certificate to be INACTIVE (UpdateCertificate)

Can anyone confirm the correct, most succinct way to do this?

Answer 1

I welcome better solutions, but this worked for me:

1. Call RegisterThing again (same ThingName, same policy, different cert). This seems to attach a new certificate to my thing.
2. Called ListThingPrincipals, filtering on ThingName. The result will be a list of ARNs representing the certificates associated with the thing, of the form arn:aws:iot:<region>:<account id>:cert/<cert id>.
3. Iterative through the list, strip out the certificate id and call DescribeCertificate, with the certificate id as parameter.
4. Compare the result (which includes the PEM form of the certificate) with the new certificate. If it's not a match, this is one of the previous certificates. Consequently, call UpdateCertificate and mark that certificate as INACTIVE.