本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
使用自定义使用者名称创建 CA 和证书
CustomAttribute 对象允许管理员将自定义对象标识符(OID)传递给私有 CA 和证书。自定义 OID 可用于创建专门的使用者名称层次结构,以反映您的组织结构和需求。必须使用其中一个 ApiPassthrough 模板创建自定义证书。有关模板的更多信息,请参阅模板种类。有关使用自定义属性的更多信息,请参阅 颁发私有终端实体证书 和 创建 CA 的过程(CLI) 。
不能将 StandardAttributes 与 CustomAttributes 结合使用。但是,您可以将标准 OID 作为 CustomAttributes 的一部分进行传递。下表列出了默认使用者名称 OID:
| 使用者名称 | 对象 ID |
|---|---|
|
Country(国家/地区) |
2.5.4.6 |
|
CommonName |
2.5.4.3 |
|
DistinguishedNameQualifier |
2.5.4.46 |
|
GenerationQualifier |
2.5.4.44 |
|
GivenName |
2.5.4.42 |
|
首字母缩写 |
2.5.4.43 |
|
区域 |
2.5.4.7 |
|
Organization(组织) |
2.5.4.10 |
|
OrganizationalUnit |
2.5.4.11 |
|
化名 |
2.5.4.65 |
|
序列号 |
2.5.4.5 |
|
状态 |
2.5.4.8 |
|
姓氏 |
2.5.4.4 |
|
标题 |
2.5.4.12 |
使用 CustomAttribute 创建 CA
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Tag; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.RevocationConfiguration; public class CreateCertificateAuthorityWithCustomAttributes { public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); configCA.withSubject(subject); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Define a certificate authority type: ROOT or SUBORDINATE CertificateAuthorityType caType = CertificateAuthorityType.SUBORDINATE; // Create a tag - method 1 Tag tag1 = new Tag(); tag1.withKey("PrivateCA"); tag1.withValue("Sample"); // Create a tag - method 2 Tag tag2 = new Tag() .withKey("Purpose") .withValue("WebServices"); // Add the tags to a collection. ArrayList<Tag> tags = new ArrayList<Tag>(); tags.add(tag1); tags.add(tag2); // Create the request object. CreateCertificateAuthorityRequest req = new CreateCertificateAuthorityRequest(); req.withCertificateAuthorityConfiguration(configCA); req.withRevocationConfiguration(revokeConfig); req.withIdempotencyToken("1234"); req.withCertificateAuthorityType(caType); req.withTags(tags); // Create the private CA. CreateCertificateAuthorityResult result = null; try { result = client.createCertificateAuthority(req); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String arn = result.getCertificateAuthorityArn(); System.out.println(arn); } }
使用 CustomAttribute 颁发证书
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.MalformedCSRException; public class IssueCertificateWithCustomAttributes { private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a certificate request: IssueCertificateRequest req = new IssueCertificateRequest(); // Set the CA ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Specify the certificate signing request (CSR) for the certificate to be signed and issued. String strCSR = "-----BEGIN CERTIFICATE REQUEST-----\n" + "base64-encoded CSR\n" + "-----END CERTIFICATE REQUEST-----\n"; ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR); req.setCsr(csrByteBuffer); // Specify the template for the issued certificate. req.withTemplateArn("arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1"); // Set the signing algorithm. req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(100L); validity.withType("DAYS"); req.withValidity(validity); // Set the idempotency token. req.setIdempotencyToken("1234"); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define certificate subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Add subject to api-passthrough ApiPassthrough apiPassthrough = new ApiPassthrough(); apiPassthrough.setSubject(subject); req.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult result = null; try { result = client.issueCertificate(req); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String arn = result.getCertificateArn(); System.out.println(arn); } }