Use the RSA-2048 signature to verify the instance identity document
This topic explains how to verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate.
To validate the instance identity document using the RSA-2048 signature, you must
request the AWS RSA-2048 public certificate from
AWS Support
To verify the instance identity document using the RSA-2048 signature and the AWS RSA-2048 public certificate
-
Connect to the instance.
-
Retrieve the RSA-2048 signature from the instance metadata and add it to a file named
rsa2048
.-
Add the
-----BEGIN PKCS7-----
header to thersa2048
file.$
echo "-----BEGIN PKCS7-----" >rsa2048
-
Retrieve the RSA-2048 signature from the instance metadata and append it to the
rsa2048
file. Use one of the following commands depending on the IMDS version used by the instance. -
Append the
-----END PKCS7-----
footer to a new line in thersa2048
file.$
echo "" >>rsa2048
$
echo "-----END PKCS7-----" >>rsa2048
-
-
Add the contents of the instance identity document from the instance metadata to a file named
document
. Use one of the following commands depending on the IMDS version used by the instance. -
Add the AWS RSA-2048 public certificate to a file named
certificate
.-
Create the
certificate
file.$
touchcertificate
-
Open the
certificate
file using your preferred text editor and add the contents of the AWS RSA-2048 public certificate that you received from AWS Support. -
Save and close the file.
-
-
Use the OpenSSL smime command to verify the signature. Include the
-verify
option to indicate that the signature needs to be verified, and the-noverify
option to indicate that the certificate does not need to be verified.$
openssl smime -verify -inrsa2048
-inform PEM -contentdocument
-certfilecertificate
-noverifyIf the signature is valid, the
Verification successful
message appears. If the signature cannot be verified, contact AWS Support.