使用您的 CA 证书创建客户端证书 - AWS IoT
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

使用您的 CA 证书创建客户端证书

您可以使用自己的证书颁发机构 (CA) 创建客户端证书。必须先在 AWS IoT 中注册客户端证书,然后才能使用。有关客户端证书的注册选项的信息,请参阅注册客户端证书

创建客户端证书 (CLI)

注意

您无法在 AWS IoT 控制台中执行此过程。

使用 AWS CLI 创建客户端证书

  1. 生成密钥对。

    openssl genrsa -out device_cert_key_filename 2048
  2. 为客户端证书创建 CSR。

    openssl req -new \ -key device_cert_key_filename \ -out device_cert_csr_filename

    系统将提示您输入一些信息,如下所示:

    You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) []: Locality Name (for example, city) []: Organization Name (for example, company) []: Organizational Unit Name (for example, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
  3. 从 CSR 创建客户端证书。

    openssl x509 -req \ -in device_cert_csr_filename \ -CA root_ca_pem_filename \ -CAkey root_ca_key_filename \ -CAcreateserial -out device_cert_pem_filename \ -days 500 -sha256

此时已创建客户端证书,但尚未注册到 AWS IoT。有关注册客户端证书的方式和时机的信息,请参阅注册客户端证书