Requests the AWS IoT Core service for a certificate by sending a Certificate-Signing Request, and invokes the provided user-defined response handler with the response it receives from the server.

AwsIotProvisioningError_t AwsIotProvisioning_CreateCertificateFromCsr( IotMqttConnection_t connection,
                                                                       IotMqttQos_t operationQos,
                                                                       const char * pCertificateSigningRequest,
                                                                       size_t csrLength,
                                                                       uint32_t timeoutMs,
                                                                       const AwsIotProvisioningCreateCertFromCsrCallbackInfo_t * pResponseCallback );

Note: It is advised to use a shared MQTT connection to AWS IoT Core across all API functions.

Warning: This function is NOT thread-safe. Concurrent calls to the library API functions can result in undefined behavior. Device provisioning with this library REQUIRES calling the API functions of this library sequentially.

Note: Depending on the threat model of your IoT device, there are considerations for protecting its identity. One threat is theft of the private key that the application uses to sign the pCertificateSigningRequest input to this function. An effective way to mitigate that threat is to store all device private keys in a secure element. Another threat is the unauthorized reuse of the device private key, and/or of the contents of pCertificateSigningRequest, in order to clone the device. An effective way to mitigate that threat is to audit, in the cloud, the use of each device private key. For example, if a device private key is reused, your cloud app (through Fleet Provisioning Hooks) could log an audit event for operator follow-up, and/or initiate a workflow for revoking the previous certificate(s) issued to that key.

Warning: Do not overwrite the existing Provisioning claim credentials with the new credentials provided by the server, at least until the device has been provisioned with a new certificate using the AwsIotProvisioning_RegisterThing function. It is also recommended to always retain the Provisioning claim credentials, if your product use-case supports re-provisioning of the device.

Parameters

[in]	connection	The MQTT connection handle that will be used to communicate with AWS IoT Core for the Certificate-Signing Request.
[in]	operationQos	The Quality of Service (QoS) level for the MQTT publish/subscribe communication with the server.
[in]	pCertificateSigningRequest	The PEM encoded string for the Certificate-Signing Request.
[in]	csrLength	The length of the Certificate-Signing Request string.
[in]	timeoutMs	The timeout (in milliseconds) for a response from the server. If there is a timeout, this function returns AWS_IOT_PROVISIONING_TIMEOUT.
[in]	pResponseCallback	The user-defined callback that will be invoked with the server's response to the CSR request. The server can respond either with the new certificate information (in case of request acceptance) OR with error (in case of request rejection).

Note: The callback is expected to store/retain the new certificate information from the server response, which will be required for registering the device with AwsIotProvisioning_RegisterThing function.

Returns: This function will return AWS_IOT_PROVISIONING_SUCCESS upon success; otherwise, AWS_IOT_PROVISIONING_NOT_INITIALIZED, if the API is called without initializing the Provisioning library (i.e. with a prior call to AwsIotProvisioning_Init function.) AWS_IOT_PROVISIONING_BAD_PARAMETER, if one or more input parameters are invalid. AWS_IOT_PROVISIONING_NO_MEMORY, if there is insufficient memory for allocation in internal operations. AWS_IOT_PROVISIONING_MQTT_ERROR, for errors from the MQTT stack. AWS_IOT_PROVISIONING_TIMEOUT, if there is a timeout in waiting for the server response for the request to generate new credentials for the device. AWS_IOT_PROVISIONING_SERVER_REFUSED, if the server rejects the request for generating device credentials. AWS_IOT_PROVISIONING_BAD_RESPONSE, if the response from the server cannot be successfully parsed or comprehended. AWS_IOT_PROVISIONING_INTERNAL_FAILURE, if any there are operation failures internal to the library.