1回答

繁星点点滴滴

[向 ACM 提出问题后更新]使用aws acm-pca issue-certificate命令请求证书：CLIENT_ID="device-0001"CLIENT_SERIAL=0001# Create the CSR and Private Keyopenssl req -new -newkey rsa:2048 -days 365 -keyout ${CLIENT_ID}.key -out ${CLIENT_ID}.csr# Replace --certificate-authority-arn with your ARN returned when you create the certificate authority.aws acm-pca issue-certificate \--csr file://${CLIENT_ID}.csr \--signing-algorithm "SHA256WITHRSA" \--validity Value=375,Type="DAYS" \--idempotency-token 12983 \--certificate-authority-arn arn:aws:acm-pca:region:account:\certificate-authority/12345678-1234-1234-1234-123456789012此命令输出 ARN，保存该值以用于下一个命令 ($MY-CERT-ARN)aws acm-pca get-certificate \--certificate-authority-arn arn:aws:acm-pca:region:account:\certificate-authority/12345678-1234-1234-1234-123456789012 \--certificate-arn $MY-CERT-ARN \ --output text > ${CLIENT_ID}-cert.pem[结束更新]生成客户端证书的示例代码。更改您生成的每个证书的 CLIENT_ID 和 CLIENT_SERIAL。ca.pem 和 ca.key 是您的 CA 证书和私钥。CLIENT_ID="device-0001"CLIENT_SERIAL=0001openssl genrsa -aes256 -passout pass:xxxx -out ${CLIENT_ID}.pass.key 4096openssl rsa -passin pass:xxxx -in ${CLIENT_ID}.pass.key -out ${CLIENT_ID}.keyrm ${CLIENT_ID}.pass.key# generate the CSRopenssl req -new -key ${CLIENT_ID}.key -out ${CLIENT_ID}.csr# issue this certificate, signed by the CA (ca.pem ca.key)openssl x509 -req -days 375 -in ${CLIENT_ID}.csr -CA ca.pem -CAkey ca.key -set_serial ${CLIENT_SERIAL} -out ${CLIENT_ID}.pem# Give the client the file: ${CLIENT_ID}.full.pemcat ${CLIENT_ID}.key ${CLIENT_ID}.pem ca.pem > ${CLIENT_ID}.full.pem

0 0

0