AWS Cert Mgr - How to create client & device certificates?

天大地大妈咪最大 提交于 2019-12-11 17:19:44

问题


From AWS tech talk, I have learnt that,

I am able to create private server certificate using below option:

-------------------

The server certificates serve the rationale of encrypting and decrypting the content.

Whereas

client certificate as the name implies is clearly used to identify a client to a respective user

A device certificate creates an identity for each “thing” in an IoT ecosystem, making sure each device authenticates as it connects, and protects communication between devices.


We have created root CA and subordinate CA using AWS Cert mgr through console.

How to create device & client certificate(private) using ACM GoLang sdk?


回答1:


[UPDATE after question asked for ACM]

Use the aws acm-pca issue-certificate command to request a certificate:

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

# Create the CSR and Private Key
openssl req -new -newkey rsa:2048 -days 365 -keyout ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# Replace --certificate-authority-arn with your ARN returned when you create the certificate authority.

aws acm-pca issue-certificate \
--csr file://${CLIENT_ID}.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=375,Type="DAYS" \
--idempotency-token 12983 \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012

This command outputs the ARN, save this value for the next command ($MY-CERT-ARN)

aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn $MY-CERT-ARN \
 --output text > ${CLIENT_ID}-cert.pem

[END UPDATE]

Example code to generate a client certificate. Change CLIENT_ID and CLIENT_SERIAL for each certificate that you generate. ca.pem and ca.key are your CA certificate and private key.

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096
openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
rm ${CLIENT_ID}.pass.key

# generate the CSR
openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# issue this certificate, signed by the CA (ca.pem ca.key)
openssl x509 -req -days 375 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem

# Give the client the file: ${CLIENT_ID}.full.pem
cat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem


来源:https://stackoverflow.com/questions/56692983/aws-cert-mgr-how-to-create-client-device-certificates

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!