Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
Cree las CA y los certificados con nombres de asunto personalizados
El objeto CustomAttribute permite a los administradores pasar identificadores de objeto (Object Identifier, OID) personalizados a los certificados y CA privadas. Los OID personalizados se pueden utilizar para crear jerarquías de nombres de sujetos especializadas que reflejen la estructura y las necesidades de su organización. Los certificados personalizados se deben crear con una de las plantillas ApiPassthrough. Para obtener más información acerca de las plantillas, consulte Variedades de plantillas. Para obtener más información sobre el uso de atributos personalizados, consulte Emisión de certificados de entidad final privadas y Procedimiento para crear una CA (CLI) .
No se puede utilizar StandardAttributes con CustomAttributes. Sin embargo, puede pasar los OID estándares como parte de un CustomAttributes. Los OID de nombre de asunto predeterminados se enumeran en la siguiente tabla:
| Nombre del asunto | ID de objeto |
|---|---|
|
País |
2.5.4.6 |
|
CommonName |
2.5.4.3 |
|
DistinguishedNameQualifier |
2.5.4.46 |
|
GenerationQualifier |
2.5.4.44 |
|
GivenName |
2.5.4.42 |
|
Iniciales |
2.5.4.43 |
|
Localidad |
2.5.4.7 |
|
Organización |
2.5.4.10 |
|
OrganizationalUnit |
2.5.4.11 |
|
Seudónimo |
2.5.4.65 |
|
SerialNumber |
2.5.4.5 |
|
Estado |
2.5.4.8 |
|
Apellido |
2.5.4.4 |
|
Título |
2.5.4.12 |
Cree una CA con CustomAttribute
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Tag; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.RevocationConfiguration; public class CreateCertificateAuthorityWithCustomAttributes { public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); configCA.withSubject(subject); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Define a certificate authority type: ROOT or SUBORDINATE CertificateAuthorityType caType = CertificateAuthorityType.SUBORDINATE; // Create a tag - method 1 Tag tag1 = new Tag(); tag1.withKey("PrivateCA"); tag1.withValue("Sample"); // Create a tag - method 2 Tag tag2 = new Tag() .withKey("Purpose") .withValue("WebServices"); // Add the tags to a collection. ArrayList<Tag> tags = new ArrayList<Tag>(); tags.add(tag1); tags.add(tag2); // Create the request object. CreateCertificateAuthorityRequest req = new CreateCertificateAuthorityRequest(); req.withCertificateAuthorityConfiguration(configCA); req.withRevocationConfiguration(revokeConfig); req.withIdempotencyToken("1234"); req.withCertificateAuthorityType(caType); req.withTags(tags); // Create the private CA. CreateCertificateAuthorityResult result = null; try { result = client.createCertificateAuthority(req); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String arn = result.getCertificateAuthorityArn(); System.out.println(arn); } }
Emita un certificado con CustomAttribute
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.MalformedCSRException; public class IssueCertificateWithCustomAttributes { private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a certificate request: IssueCertificateRequest req = new IssueCertificateRequest(); // Set the CA ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Specify the certificate signing request (CSR) for the certificate to be signed and issued. String strCSR = "-----BEGIN CERTIFICATE REQUEST-----\n" + "base64-encoded CSR\n" + "-----END CERTIFICATE REQUEST-----\n"; ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR); req.setCsr(csrByteBuffer); // Specify the template for the issued certificate. req.withTemplateArn("arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1"); // Set the signing algorithm. req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(100L); validity.withType("DAYS"); req.withValidity(validity); // Set the idempotency token. req.setIdempotencyToken("1234"); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define certificate subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Add subject to api-passthrough ApiPassthrough apiPassthrough = new ApiPassthrough(); apiPassthrough.setSubject(subject); req.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult result = null; try { result = client.issueCertificate(req); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String arn = result.getCertificateArn(); System.out.println(arn); } }
