Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.
CustomAttributeObjek memungkinkan administrator untuk meneruskan pengidentifikasi objek kustom (OIDs) ke CAs privat dan sertifikat. Kustom OIDs dapat digunakan untuk membuat hierarki nama subjek khusus yang mencerminkan struktur dan kebutuhan organisasi Anda. Sertifikat yang disesuaikan harus dibuat menggunakan salah satu ApiPassthrough templat. Untuk informasi lebih lanjut tentang templat, lihat AWS Private CA varietas template. Untuk informasi selengkapnya tentang penggunaan atraksi khusus, lihat dan. Menerbitkan sertifikat entitas akhir pribadi Buat CA pribadi di AWS Private CA
Anda tidak dapat menggunakan StandardAttributes dalam hubungannya denganCustomAttributes. Namun, Anda dapat melewati standar OIDs sebagai bagian dari aCustomAttributes. Nama subjek default OIDs tercantum dalam tabel berikut:
| Nama subjek | ID Objek |
|---|---|
|
Negara |
2.5.4.6 |
|
CommonName |
2.5.4.3 |
|
DistinguishedNameQualifier |
2.5.4.46 |
|
GenerationQualifier |
2.5.4.44 |
|
GivenName |
2.5.4.42 |
|
Inisial |
2.5.4.43 |
|
Lokalitas |
2.5.4.7 |
|
Organisasi |
2.5.4.10 |
|
OrganizationalUnit |
2.5.4.11 |
|
Nama samaran |
2.5.4.65 |
|
SerialNumber |
2.5.4.5 |
|
Status |
2.5.4.8 |
|
Nama keluarga |
2.5.4.4 |
|
Judul |
2.5.4.12 |
Buat CA dengan CustomAttribute
package com.amazonaws.samples;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
public class CreateCertificateAuthorityWithCustomAttributes {
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
// Define the endpoint for your sample.
String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Define custom attributes
List<CustomAttribute> customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.6") // Country
.withValue("US"),
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("CommonName"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("ABCDEFG"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("BCDEFGH")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
configCA.withSubject(subject);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Define a certificate authority type: ROOT or SUBORDINATE
CertificateAuthorityType caType = CertificateAuthorityType.SUBORDINATE;
// Create a tag - method 1
Tag tag1 = new Tag();
tag1.withKey("PrivateCA");
tag1.withValue("Sample");
// Create a tag - method 2
Tag tag2 = new Tag()
.withKey("Purpose")
.withValue("WebServices");
// Add the tags to a collection.
ArrayList<Tag> tags = new ArrayList<Tag>();
tags.add(tag1);
tags.add(tag2);
// Create the request object.
CreateCertificateAuthorityRequest req = new CreateCertificateAuthorityRequest();
req.withCertificateAuthorityConfiguration(configCA);
req.withRevocationConfiguration(revokeConfig);
req.withIdempotencyToken("1234");
req.withCertificateAuthorityType(caType);
req.withTags(tags);
// Create the private CA.
CreateCertificateAuthorityResult result = null;
try {
result = client.createCertificateAuthority(req);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String arn = result.getCertificateAuthorityArn();
System.out.println(arn);
}
}Menerbitkan sertifikat dengan CustomAttribute
package com.amazonaws.samples;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
public class IssueCertificateWithCustomAttributes {
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" +
"certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded CSR\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(100L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List<CustomAttribute> customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.6") // Country
.withValue("US"),
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("CommonName"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("ABCDEFG"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1") // CustomOID
.withValue("BCDEFGH")
);
// Define certificate subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Add subject to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}