Inventory certificate expiry dates by querying your PKI or cloud IoT registry; for AWS IoT use AWS IoT Device Defender's DEVICE_CERTIFICATE_EXPIRING_CHECK audit, which flags certificates expiring within a configurable window
Issue new certificates from the same CA hierarchy before old ones expire; for AWS IoT, use CreateCertificateFromCsr so the device generates the private key locally and submits only a CSR — the private key never leaves the device
Deliver the new certificate to the device via a secure channel: publish it to a protected MQTT topic, use a device twin desired property, or include it in a signed OTA bundle; verify the device has written the cert to persistent storage before proceeding
Have the device connect once using the new certificate while the old certificate is still active to verify the new credentials work; only deactivate the old certificate after a successful test connection
Automate the deactivation and deletion of expired or rotated certificates using IoT Defender Mitigation Actions or a scheduled Lambda/Function that calls the cloud API; keep an audit log of all certificate lifecycle events
For fleet-scale rotation, stagger renewals across device cohorts to avoid a thundering-herd reconnect storm; use device twin tags or groups to schedule rotation waves over days or weeks
Known gotchas
Revoking a certificate (adding it to a CRL or calling the cloud API to mark it inactive) takes effect immediately for new connections but existing persistent sessions may remain connected until the keepalive times out — plan a forced disconnect if revocation must be immediate
Private keys generated on device must be stored in hardware-backed secure storage (TPM, Secure Element) if available; a key extracted from flash memory compromises the entire certificate's security even after renewal
In AWS IoT, a certificate must be detached from all Things and policies before it can be deleted; scripts that delete certificates without first detaching them will fail with a DeleteConflict error
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp