AWS Cert Mgr-如何创建客户端&设备证书？ [英] AWS Cert Mgr - How to create client & device certificates?

查看：113 发布时间：2020/9/30 20:55:41 go certificate client-certificates aws-certificate-manager

本文介绍了AWS Cert Mgr-如何创建客户端&设备证书？的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

从

我可以使用以下选项创建私有服务器证书：

--------- ----------

服务器证书用于对内容进行加密和解密。

而

客户证书顾名思义，显然是用来识别相应用户的客户

设备证书为物联网生态系统中的每个事物创建一个身份，
确保每个设备在连接时均进行身份验证，并保护设备之间的通信。

我们已经通过控制台使用AWS Cert mgr创建了根CA和从属CA。 / p>

如何创建设备&客户端证书（私有）使用ACM GoLang sdk？

解决方案

[在询问ACM后更新]

使用 aws acm-pca问题证书命令来请求证书：

  CLIENT_ID = device-0001 
 CLIENT_SERIAL = 0001 
 
＃创建CSR和私钥
 openssl req -new -newkey rsa ：2048 -days 365 -keyout $ {CLIENT_ID} .key -out $ {CLIENT_ID} .csr 
 
＃创建证书颁发机构时，将--certificate-authority-arn替换为返回的ARN。 
 
 aws acm-pca问题证书\ 
 --csr文件：// $ {CLIENT_ID} .csr \ 
 --signing-algorithm SHA256WITHRSA \ 
 --validity Value = 375，Type = DAYS \ 
 --idempotency-token令牌12983 \ 
 --certificate-authority-arn arn：aws：acm-pca：region ：account：\ 
 certificate-authority / 12345678-1234-1234-1234-123456789012

此命令输出ARN，将此值保存为下一个命令（$ MY-CERT-ARN）

  aws acm-pca get-certificate \ 
 --certificate-authority-arn arn：aws：acm-pca：region：account：\ 
 certificate-authority / 12345678-1234-1234-1234-123456789012 \ 
 --certificate-arn $ MY-CERT-ARN \ 
-输出文本> $ {CLIENT_ID} -cert.pem

[END UPDATE]

生成客户端证书的示例代码。为您生成的每个证书更改CLIENT_ID和CLIENT_SERIAL。 ca.pem和ca.key是您的CA证书和私钥。

  CLIENT_ID = device-0001 
 CLIENT_SERIAL = 0001 
 
 openssl genrsa -aes256 -passout pass：xxxx -out $ {CLIENT_ID} .pass.key 4096 
 openssl rsa -passin pass：xxxx -in $ {CLIENT_ID} .pass .key -out $ {CLIENT_ID} .key 
 rm $ {CLIENT_ID} .pass.key 
 
＃生成CSR 
 openssl req -new -key $ {CLIENT_ID}。 key-out $ {CLIENT_ID} .csr 
 
＃颁发此证书，由CA签名（ca.pem ca.key）
 openssl x509 -req -days 375 -in $ {CLIENT_ID } .csr -CA ca.pem -CAkey ca.key -set_serial $ {CLIENT_SERIAL} -out $ {CLIENT_ID} .pem 
 
＃给客户端文件：$ {CLIENT_ID} .full.pem 
 cat $ {CLIENT_ID} .key $ {CLIENT_ID} .pem ca.pem> $ {CLIENT_ID} .full.pem

From AWS tech talk, I have learnt that,

I am able to create private server certificate using below option:

-------------------

The server certificates serve the rationale of encrypting and decrypting the content.

Whereas

client certificate as the name implies is clearly used to identify a client to a respective user

A device certificate creates an identity for each "thing" in an IoT ecosystem, making sure each device authenticates as it connects, and protects communication between devices.

We have created root CA and subordinate CA using AWS Cert mgr through console.

How to create device & client certificate(private) using ACM GoLang sdk?

解决方案

[UPDATE after question asked for ACM]

Use the aws acm-pca issue-certificate command to request a certificate:

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

# Create the CSR and Private Key
openssl req -new -newkey rsa:2048 -days 365 -keyout ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# Replace --certificate-authority-arn with your ARN returned when you create the certificate authority.

aws acm-pca issue-certificate \
--csr file://${CLIENT_ID}.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=375,Type="DAYS" \
--idempotency-token 12983 \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012

This command outputs the ARN, save this value for the next command ($MY-CERT-ARN)

aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn $MY-CERT-ARN \
 --output text > ${CLIENT_ID}-cert.pem

[END UPDATE]

Example code to generate a client certificate. Change CLIENT_ID and CLIENT_SERIAL for each certificate that you generate. ca.pem and ca.key are your CA certificate and private key.

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096
openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
rm ${CLIENT_ID}.pass.key

# generate the CSR
openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# issue this certificate, signed by the CA (ca.pem ca.key)
openssl x509 -req -days 375 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem

# Give the client the file: ${CLIENT_ID}.full.pem
cat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem

这篇关于AWS Cert Mgr-如何创建客户端&设备证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！

查看全文

AWS Cert Mgr-如何创建客户端&设备证书？ [英] AWS Cert Mgr - How to create client & device certificates?

问题描述

--------- ----------

-------------------

相关文章

其他开发最新文章

热门教程

热门工具

登录关闭

AWS Cert Mgr-如何创建客户端&amp;设备证书？ [英] AWS Cert Mgr - How to create client &amp; device certificates?

问题描述

--------- ----------

-------------------

相关文章

其他开发最新文章

热门教程

热门工具

登录 关闭

AWS Cert Mgr-如何创建客户端&设备证书？ [英] AWS Cert Mgr - How to create client & device certificates?

登录关闭