【AWS CLI 示例集】Private CA

我们主要检查是否可以使用AWS Cloud9执行命令。
如果您想提供示例命令，请使用下面的表格提交。
如果列出的命令示例有任何错误，请在此处更正。

建议コメントをキャンセル

在不同的 AWS 账户中创建根 CA 和从属 CA

[账户A]创建根CA

config=$(cat <<EOM
{
    "KeyAlgorithm":"RSA_2048",
    "SigningAlgorithm":"SHA256WITHRSA",
    "Subject":{
       "Country":"US",
       "Organization":"Example Corp",
       "OrganizationalUnit":"Sales",
       "State":"WA",
       "Locality":"Seattle",
       "CommonName":"www.example.com"
    }
 }
EOM
)

aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "ROOT" \
--usage-mode GENERAL_PURPOSE \
--region us-east-1

输出

{
    "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
}

by yuyu

[账户A] 在根CA上安装证书

ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"

aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $ca_arn \
--region us-east-1 \
--output text > ca.csr

cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://ca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--validity Value=365,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $cert_arn \
--region us-east-1 \
--output text > cert.pem

aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $ca_arn \
--certificate fileb://cert.pem \
--region us-east-1

输出

None

by yuyu

[账户B]在其他地域创建从属CA

config=$(cat <<EOM
{
    "KeyAlgorithm":"RSA_2048",
    "SigningAlgorithm":"SHA256WITHRSA",
    "Subject":{
       "Country":"US",
       "Organization":"Example Corp",
       "OrganizationalUnit":"Sales",
       "State":"WA",
       "Locality":"Seattle",
       "CommonName":"www.example.com"
    }
 }
EOM
)

aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "SUBORDINATE" \
--region us-east-2

输出

{
    "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
}

by yuyu

[帐户 B] 为要安装在从属 CA 上的证书颁发 CSR

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $subca_arn \
--region us-east-2 \
--output text > subca.csr

输出

None

by yuyu

[帐户A] 根CA 颁发要安装在从属CA 上的证书。

ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"

subca_cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://subca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
--validity Value=60,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $subca_cert_arn \
--region us-east-1 \
--output json > subca_cert.pem

cat subca_cert.pem | jq -r '.Certificate' > sub_cert.pem
cat subca_cert.pem | jq -r '.CertificateChain' > sub_chain.pem

输出

None

by yuyu

[账户B]在从属CA上安装证书

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $subca_arn \
--certificate fileb://sub_cert.pem \
--certificate-chain fileb://sub_chain.pem \
--region us-east-2

输出

None

by yuyu

将有效期为 1 个月（小于 13 个月）的私有证书导入 ACM

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out private.csr

cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $subca_arn \
--csr fileb://private.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=30,Type="DAYS" \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $subca_arn \
--certificate-arn $cert_arn \
--output json > ca_cert.pem

cat ca_cert.pem | jq -r '.Certificate' > cert.pem
cat ca_cert.pem | jq -r '.CertificateChain' > chain.pem

aws acm import-certificate \
--certificate fileb://cert.pem \
--private-key fileb://privatekey.key \
--certificate-chain fileb://chain.pem

输出

{
    "CertificateArn": "arn:aws:acm:us-east-2:444455556666:certificate/cffb8a69-0817-4e04-bfb1-dac7426d6b90"
}

by yuyu

建议 コメントをキャンセル

在不同的 AWS 账户中创建根 CA 和从属 CA

[账户A]创建根CA

输出

[账户A] 在根CA上安装证书

输出

[账户B]在其他地域创建从属CA

输出

[帐户 B] 为要安装在从属 CA 上的证书颁发 CSR

输出

[帐户A] 根CA 颁发要安装在从属CA 上的证书。

输出

[账户B]在从属CA上安装证书

输出

将有效期为 1 个月（小于 13 个月）的私有证书导入 ACM

输出

建议コメントをキャンセル