CSPs offer a wide range of options for provisioning and managing keys and certificates on your IoT devices. This process is typically completed during the onboarding period; however, management of cryptographic material is an ongoing activity that requires the ability to update these materials on a regular basis.

AWS IoT provides administrators with the option to generate their own public/private key pairs and an associated Certificate Signing Request (CSR), which is then uploaded to the AWS Public Key Infrastructure (PKI) for signing.

AWS IoT also allows administrators to simply use their own certificates, by first registering their CA certificate with the AWS IoT service. This is a good option if your organization has already invested in standing up a secure PKI system:

Either way, you'll also have to manage the trust anchors associated with your chosen PKI and any other PKIs you'd like to interoperate with. Make sure that you consider how these trust anchors will be updated in the event that one of the CAs within these PKIs is compromised. 

Google Cloud IoT Core has begun offering some useful life cycle key management features. For example, the service supports key rotation, allowing up to three keys to be active per device at any point in time. Each public key can have an expirationTime associated with it, after which the key pair will be ignored.