列出私有证书 - Amazon Private Certificate Authority
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

列出私有证书

要列出您的私有证书,请生成审计报告,从其 S3 桶中检索该报告,然后根据需要解析报告内容。有关创建 Amazon 私有 CA 审计报告的信息,请参阅 将审计报告与您的私有 CA 一起使用。有关从 S3 桶检索对象的信息,请参阅《Amazon Simple Storage Service 用户指南》中的下载对象

以下示例说明了创建审计报告并对其进行解析以获取有用数据的方法。使用类似 sed 的JSON解析器 jq 对结果进行格式化并筛选数据。

1. 创建审计报告。

以下命令为指定 CA 生成审计报告。

$ aws acm-pca create-certificate-authority-audit-report \ --region region \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --s3-bucket-name bucket_name \ --audit-report-response-format JSON

如果成功,则该命令将返回新审计报告的 ID 和位置。

{ "AuditReportId":"audit_report_ID", "S3Key":"audit-report/CA_ID/audit_report_ID.json" }
2. 检索审计报告并设置其格式。

此命令检索审计报告,在标准输出中显示其内容,并筛选结果以仅显示 2020-12-01 当天或之后颁发的证书。

$ aws s3api get-object \ --region region \ --bucket bucket_name \ --key audit-report/CA_ID/audit_report_ID.json \ /dev/stdout | jq '.[] | select(.issuedAt >= "2020-12-01")'

返回的项目如下所示:

{ "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "subject":"CN=pca.alpha.root2.leaf5", "notBefore":"2020-12-21T21:28:09+0000", "notAfter":"9999-12-31T23:59:59+0000", "issuedAt":"2020-12-21T22:28:09+0000", "templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" }
3. 在本地保存审计报告。

如果要执行多个查询,可以方便地将审计报告保存到本地文件中。

$ aws s3api get-object \ --region region \ --bucket bucket_name \ --key audit-report/CA_ID/audit_report_ID.json > my_local_audit_report.json

与以前相同的筛选条件将产生相同的输出:

$ cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-12-01")' { "awsAccountId":"account", "certificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial":"serial_number", "subject":"CN=pca.alpha.root2.leaf5", "notBefore":"2020-12-21T21:28:09+0000", "notAfter":"9999-12-31T23:59:59+0000", "issuedAt":"2020-12-21T22:28:09+0000", "templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1" }
4. 在某个日期范围内查询

您可以查询在某个日期范围内颁发的证书,如下所示:

$ cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-11-01" and .issuedAt <= "2020-11-10")'

筛选后的内容在标准输出中显示:

{ "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf1", "notBefore": "2020-11-06T19:18:21+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:18:22+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.rsa2048sha256", "notBefore": "2020-11-06T19:15:46+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:15:46+0000", "templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf2", "notBefore": "2020-11-06T20:04:39+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T21:04:39+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" }
5. 按照指定模板搜索证书。

以下命令使用模板筛选报告内容ARN:

$ cat my_local_audit_report.json | jq '.[] | select(.templateArn == "arn:aws:acm-pca:::template/RootCACertificate/V1")'

输出显示匹配的证书记录:

{ "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.rsa2048sha256", "notBefore": "2020-11-06T19:15:46+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:15:46+0000", "templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1" }
6. 筛选已吊销的证书

要找出所有已吊销的证书,请使用以下命令:

$ cat my_local_audit_report.json | jq '.[] | select(.revokedAt != null)'

已吊销的证书显示如下:

{ "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf2", "notBefore": "2020-11-06T20:04:39+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T21:04:39+0000", "revokedAt": "2021-05-27T18:57:32+0000", "revocationReason": "UNSPECIFIED", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" }
7. 使用正则表达式进行筛选。

以下命令搜索包含字符串“leaf”的使用者名称:

$ cat my_local_audit_report.json | jq '.[] | select(.subject|test("leaf"))'

匹配的证书记录返回如下:

{ "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.roo2.leaf4", "notBefore": "2020-11-16T18:17:10+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-16T19:17:12+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf5", "notBefore": "2020-12-21T21:28:09+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-12-21T22:28:09+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" } { "awsAccountId": "account", "certificateArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID", "serial": "serial_number", "subject": "CN=pca.alpha.root2.leaf1", "notBefore": "2020-11-06T19:18:21+0000", "notAfter": "9999-12-31T23:59:59+0000", "issuedAt": "2020-11-06T20:18:22+0000", "templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1" }