Activate an Product Attestation Intermediate (PAI) - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Activate an Product Attestation Intermediate (PAI)

This Java sample shows how to use the BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1 definition template to create and install a Matter Subordinate CA (PAI) certificate for product attestation. You must generate a Base64-encoded KeyUsage value and pass it through a CustomExtension.

The example calls the following Amazon Private CA API actions:

If you encounter problems, see Troubleshoot Amazon Private CA Matter-compliant certificate errors in the Troubleshooting section.

package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.RevocationConfiguration; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.jce.X509KeyUsage; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.services.acmpca.model.GetCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateResult; import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.CertificateMismatchException; import com.amazonaws.services.acmpca.model.ConcurrentModificationException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.MalformedCertificateException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import com.amazonaws.services.acmpca.model.RequestFailedException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.AWSACMPCAException; import com.amazonaws.waiters.Waiter; import com.amazonaws.waiters.WaiterParameters; import com.amazonaws.waiters.WaiterTimedOutException; import com.amazonaws.waiters.WaiterUnrecoverableException; import lombok.SneakyThrows; public class ProductAttestationIntermediateActivation { public static void main(String[] args) throws Exception { // Place your own Root CA ARN here. String paaArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012"; // Define the endpoint region for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("Matter Test PAI"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID .withValue("FFF1"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.2") // Product ID .withValue("8000") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); configCA.withSubject(subject); // Define a CRL distribution point extension configuration CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration(); CDPConfigure.withOmitExtension(true); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL"); crlConfigure.withCrlDistributionPointConfiguration(CDPConfigure); // Define a certificate authority type CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE; // ** Execute core code samples for Subordinate CA activation in sequence ** AWSACMPCA client = ClientBuilder(endpointRegion); String rootCertificate = GetCertificateAuthorityCertificate(paaArn, client); String subordinateCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client); String csr = GetCertificateAuthorityCsr(subordinateCAArn, client); String subordinateCertificateArn = IssueCertificate(paaArn, csr, client); String subordinateCertificate = GetCertificate(subordinateCertificateArn, paaArn, client); ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client); } private static AWSACMPCA ClientBuilder(String endpointRegion) { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); return client; } private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) { // ** GetCertificateAuthorityCertificate ** // Create a request object and set the certificate authority ARN, GetCertificateAuthorityCertificateRequest getCACertificateRequest = new GetCertificateAuthorityCertificateRequest(); getCACertificateRequest.withCertificateAuthorityArn(rootCAArn); // Create a result object. GetCertificateAuthorityCertificateResult getCACertificateResult = null; try { getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest); } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } // Retrieve and display the certificate information. String rootCertificate = getCACertificateResult.getCertificate(); System.out.println("Product Attestation Authority (PAA) Certificate / Certificate Chain:"); System.out.println(rootCertificate); return rootCertificate; } private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) { RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Create the request object. CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest(); createCARequest.withCertificateAuthorityConfiguration(configCA); createCARequest.withIdempotencyToken("123987"); createCARequest.withCertificateAuthorityType(CAtype); createCARequest.withRevocationConfiguration(revokeConfig); // Create the private CA. CreateCertificateAuthorityResult createCAResult = null; try { createCAResult = client.createCertificateAuthority(createCARequest); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String subordinateCAArn = createCAResult.getCertificateAuthorityArn(); System.out.println("Product Attestation Intermediate (PAI) Arn: " + subordinateCAArn); return subordinateCAArn; } private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN. GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest(); csrRequest.withCertificateAuthorityArn(subordinateCAArn); // Create waiter to wait on successful creation of the CSR file. Waiter<GetCertificateAuthorityCsrRequest> getCSRWaiter = client.waiters().certificateAuthorityCSRCreated(); try { getCSRWaiter.run(new WaiterParameters<>(csrRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch(AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the CSR. GetCertificateAuthorityCsrResult csrResult = null; try { csrResult = client.getCertificateAuthorityCsr(csrRequest); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Retrieve and display the CSR; String csr = csrResult.getCsr(); System.out.println("Subordinate CSR:"); System.out.println(csr); return csr; } private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) { // Create a certificate request: IssueCertificateRequest issueRequest = new IssueCertificateRequest(); // Set the issuing CA ARN. issueRequest.withCertificateAuthorityArn(rootCAArn); // Set the template ARN. issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1"); ByteBuffer csrByteBuffer = stringToByteBuffer(csr); issueRequest.setCsr(csrByteBuffer); // Set the signing algorithm. issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(730L); // Approximately two years validity.withType("DAYS"); issueRequest.withValidity(validity); // Set the idempotency token. issueRequest.setIdempotencyToken("1234"); ApiPassthrough apiPassthrough = new ApiPassthrough(); // Generate Base64 encoded extension value for ExtendedKeyUsage String base64EncodedKUValue = generateKeyUsageValue(); // Generate custom extension CustomExtension customKeyUsageExtension = new CustomExtension(); customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); customKeyUsageExtension.setValue(base64EncodedKUValue); customKeyUsageExtension.setCritical(true); // Set KeyUsage extension to api passthrough Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension)); apiPassthrough.setExtensions(extensions); issueRequest.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult issueResult = null; try { issueResult = client.issueCertificate(issueRequest); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String subordinateCertificateArn = issueResult.getCertificateArn(); System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn); return subordinateCertificateArn; } @SneakyThrows private static String generateKeyUsageValue() { KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); byte[] kuBytes = keyUsage.getEncoded(); return Base64.getEncoder().encodeToString(kuBytes); } private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) { // Create a request object. GetCertificateRequest certificateRequest = new GetCertificateRequest(); // Set the certificate ARN. certificateRequest.withCertificateArn(subordinateCertificateArn); // Set the certificate authority ARN. certificateRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the certificate file. Waiter<GetCertificateRequest> getCertificateWaiter = client.waiters().certificateIssued(); try { getCertificateWaiter.run(new WaiterParameters<>(certificateRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the certificate and certificate chain. GetCertificateResult certificateResult = null; try { certificateResult = client.getCertificate(certificateRequest); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String subordinateCertificate = certificateResult.getCertificate(); System.out.println("Subordinate CA Certificate:"); System.out.println(subordinateCertificate); return subordinateCertificate; } private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) { // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest(); ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate); importRequest.setCertificate(certByteBuffer); ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate); importRequest.setCertificateChain(rootCACertByteBuffer); // Set the certificate authority ARN. importRequest.withCertificateAuthorityArn(subordinateCAArn); // Import the certificate. try { client.importCertificateAuthorityCertificate(importRequest); } catch (CertificateMismatchException ex) { throw ex; } catch (MalformedCertificateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (RequestInProgressException ex) { throw ex; } catch (ConcurrentModificationException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } System.out.println("Product Attestation Intermediate (PAI) certificate successfully imported."); System.out.println("Product Attestation Intermediate (PAI) activated successfully."); } private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } }