-------------------

服务器证书用于对内容进行加密和解密。

而

顾名思义，

客户端证书显然用于识别相应用户的客户端

设备证书可为IoT生态系统中的每个“事物”创建一个标识，确保每个设备在连接时都进行身份验证，并保护设备之间的通信。

我们已经通过控制台使用AWS Cert mgr创建了根CA和从属CA。

如何使用ACM GoLang sdk创建设备和客户端证书（私有）？

Answer 1

[问题询问ACM后更新]

使用aws acm-pca issue-certificate命令来请求证书：

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

# Create the CSR and Private Key
openssl req -new -newkey rsa:2048 -days 365 -keyout ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# Replace --certificate-authority-arn with your ARN returned when you create the certificate authority.

aws acm-pca issue-certificate \
--csr file://${CLIENT_ID}.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=375,Type="DAYS" \
--idempotency-token 12983 \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012

此命令输出ARN，将该值保存为下一个命令（$ MY-CERT-ARN）

aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region:account:\
certificate-authority/12345678-1234-1234-1234-123456789012 \
--certificate-arn $MY-CERT-ARN \
 --output text > ${CLIENT_ID}-cert.pem

[END UPDATE]

生成客户端证书的示例代码。为您生成的每个证书更改CLIENT_ID和CLIENT_SERIAL。 ca.pem和ca.key是您的CA证书和私钥。

CLIENT_ID="device-0001"
CLIENT_SERIAL=0001

openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096
openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.key
rm ${CLIENT_ID}.pass.key

# generate the CSR
openssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr

# issue this certificate, signed by the CA (ca.pem ca.key)
openssl x509 -req -days 375 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem

# Give the client the file: ${CLIENT_ID}.full.pem
cat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem

AWS Cert Mgr-如何创建客户端和设备证书？

-------------------

1 个答案: