douzhou7037 2019-06-20 19:50
浏览 115
已采纳

AWS Cert Mgr-如何创建客户端和设备证书?

From AWS tech talk, I have learnt that,

enter image description here

I am able to create private server certificate using below option:

enter image description here

-------------------

The server certificates serve the rationale of encrypting and decrypting the content.

Whereas

client certificate as the name implies is clearly used to identify a client to a respective user

A device certificate creates an identity for each “thing” in an IoT ecosystem, making sure each device authenticates as it connects, and protects communication between devices.


We have created root CA and subordinate CA using AWS Cert mgr through console.

How to create device & client certificate(private) using ACM GoLang sdk?

  • 写回答

1条回答 默认 最新

  • douliu3831 2019-06-20 20:13
    关注

    [UPDATE after question asked for ACM]

    Use the aws acm-pca issue-certificate command to request a certificate:

    CLIENT_ID="device-0001"
    CLIENT_SERIAL=0001
    
    # Create the CSR and Private Key
    openssl req -new -newkey rsa:2048 -days 365 -keyout ${CLIENT_ID}.key -out ${CLIENT_ID}.csr
    
    # Replace --certificate-authority-arn with your ARN returned when you create the certificate authority.
    
    aws acm-pca issue-certificate \
    --csr file://${CLIENT_ID}.csr \
    --signing-algorithm "SHA256WITHRSA" \
    --validity Value=375,Type="DAYS" \
    --idempotency-token 12983 \
    --certificate-authority-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012
    

    This command outputs the ARN, save this value for the next command ($MY-CERT-ARN)

    aws acm-pca get-certificate \
    --certificate-authority-arn arn:aws:acm-pca:region:account:\
    certificate-authority/12345678-1234-1234-1234-123456789012 \
    --certificate-arn $MY-CERT-ARN \
     --output text > ${CLIENT_ID}-cert.pem
    

    [END UPDATE]

    Example code to generate a client certificate. Change CLIENT_ID and CLIENT_SERIAL for each certificate that you generate. ca.pem and ca.key are your CA certificate and private key.

    CLIENT_ID="device-0001"
    CLIENT_SERIAL=0001
    
    openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096
    openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
    rm ${CLIENT_ID}.pass.key
    
    # generate the CSR
    openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr
    
    # issue this certificate, signed by the CA (ca.pem ca.key)
    openssl x509 -req -days 375 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem
    
    # Give the client the file: ${CLIENT_ID}.full.pem
    cat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 有偿求苍穹外卖环境配置
  • ¥15 代码在keil5里变成了这样怎么办啊,文件图像也变了,
  • ¥20 Ue4.26打包win64bit报错,如何解决?(语言-c++)
  • ¥15 clousx6整点报时指令怎么写
  • ¥30 远程帮我安装软件及库文件
  • ¥15 关于#自动化#的问题:如何通过电脑控制多相机同步拍照或摄影(相机或者摄影模组数量大于60),并将所有采集的照片或视频以一定编码规则存放至规定电脑文件夹内
  • ¥20 深信服vpn-2050这台设备如何配置才能成功联网?
  • ¥15 Arduino的wifi连接,如何关闭低功耗模式?
  • ¥15 Android studio 无法定位adb是什么问题?
  • ¥15 C#连接不上服务器,