명령어 실행 가능 여부는 주로 AWS Cloud9에서 확인하고 있습니다.
명령어 예시를 제공해 주실 분은 문의 양식을 통해 보내 주세요.
기재된 명령어 예시의 수정 요청도 이곳에서 연락해 주세요.
루트 CA와 하위 CA를 다른 AWS 계정으로 생성
[계정 A] 루트 CA 만들기
config=$(cat <<EOM
{
"KeyAlgorithm":"RSA_2048",
"SigningAlgorithm":"SHA256WITHRSA",
"Subject":{
"Country":"US",
"Organization":"Example Corp",
"OrganizationalUnit":"Sales",
"State":"WA",
"Locality":"Seattle",
"CommonName":"www.example.com"
}
}
EOM
)
aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "ROOT" \
--usage-mode GENERAL_PURPOSE \
--region us-east-1출력
{
"CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
}by yuyu
[계정 A] 루트 CA에 인증서 설치
ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $ca_arn \
--region us-east-1 \
--output text > ca.csr
cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://ca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--validity Value=365,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)
aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $cert_arn \
--region us-east-1 \
--output text > cert.pem
aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $ca_arn \
--certificate fileb://cert.pem \
--region us-east-1출력
Noneby yuyu
[계정 B] 다른 리전에서 하위 CA 생성
config=$(cat <<EOM
{
"KeyAlgorithm":"RSA_2048",
"SigningAlgorithm":"SHA256WITHRSA",
"Subject":{
"Country":"US",
"Organization":"Example Corp",
"OrganizationalUnit":"Sales",
"State":"WA",
"Locality":"Seattle",
"CommonName":"www.example.com"
}
}
EOM
)
aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "SUBORDINATE" \
--region us-east-2출력
{
"CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
}by yuyu
[계정 B] 하위 CA에 설치할 인증서의 CSR 발급
subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $subca_arn \
--region us-east-2 \
--output text > subca.csr출력
Noneby yuyu
[계정 A] 하위 CA에 설치할 인증서를 루트 CA에서 발급
ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
subca_cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://subca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
--validity Value=60,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)
aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $subca_cert_arn \
--region us-east-1 \
--output json > subca_cert.pem
cat subca_cert.pem | jq -r '.Certificate' > sub_cert.pem
cat subca_cert.pem | jq -r '.CertificateChain' > sub_chain.pem출력
Noneby yuyu
[계정 B] 하위 CA에 인증서 설치
subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $subca_arn \
--certificate fileb://sub_cert.pem \
--certificate-chain fileb://sub_chain.pem \
--region us-east-2출력
Noneby yuyu
만료일 1개월(13개월 미만)의 개인 인증서를 ACM으로 가져오기
subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out private.csr
cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $subca_arn \
--csr fileb://private.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=30,Type="DAYS" \
--output text)
aws acm-pca get-certificate \
--certificate-authority-arn $subca_arn \
--certificate-arn $cert_arn \
--output json > ca_cert.pem
cat ca_cert.pem | jq -r '.Certificate' > cert.pem
cat ca_cert.pem | jq -r '.CertificateChain' > chain.pem
aws acm import-certificate \
--certificate fileb://cert.pem \
--private-key fileb://privatekey.key \
--certificate-chain fileb://chain.pem출력
{
"CertificateArn": "arn:aws:acm:us-east-2:444455556666:certificate/cffb8a69-0817-4e04-bfb1-dac7426d6b90"
}by yuyu
