使用您的 CA 证书创建客户端证书 - Amazon IoT Core
创建客户端证书 (CLI)
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用您的 CA 证书创建客户端证书

您可以使用自己的证书颁发机构 (CA) 创建客户端证书。必须先在 Amazon IoT 中注册客户端证书,然后才能使用。有关客户端证书的注册选项的信息,请参阅注册客户端证书

创建客户端证书 (CLI)

注意

您无法在 Amazon IoT 控制台中执行此流程。

使用 Amazon CLI 创建客户端证书

  1. 生成密钥对。

    openssl genrsa -out device_cert_key_filename.key 2048

  2. 为客户端证书创建 CSR。

    openssl req -new \
    -key device_cert_key_filename.key \
    -out device_cert_csr_filename.csr

    系统将提示您输入一些信息,如下所示:

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
    State or Province Name (full name) []:
    Locality Name (for example, city) []:
    Organization Name (for example, company) []:
    Organizational Unit Name (for example, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

  3. 从 CSR 创建客户端证书。

    openssl x509 -req \
    -in device_cert_csr_filename.csr \
    -CA root_CA_cert_filename.pem \
    -CAkey root_CA_key_filename.key \
    -CAcreateserial \
    -out device_cert_filename.pem \
    -days 500 -sha256

此时已创建客户端证书,但尚未注册到 Amazon IoT。有关注册客户端证书的方式和时机的信息,请参阅注册客户端证书