Create CAs and certificates with custom subject names
The CustomAttribute object
allows administrators to pass custom object identifiers (OIDs) to private CAs and
certificates. Custom OIDs can be used to create specialized subject-name hierarchies that
reflect the structure and needs of your organization. Customized certificates must be
created using one of the ApiPassthrough templates. For more information about
templates, see Template varieties. For
more information about using custom attrributes, see Issuing private end-entity certificates and Procedure for creating a CA (CLI) .
You cannot use StandardAttributes in conjunction with
CustomAttributes. However, you can pass standard OIDs as part of a
CustomAttributes. The default subject name OIDs are listed in the following
table:
| Subject name | Object ID |
|---|---|
|
Country |
2.5.4.6 |
|
CommonName |
2.5.4.3 |
|
DistinguishedNameQualifier |
2.5.4.46 |
|
GenerationQualifier |
2.5.4.44 |
|
GivenName |
2.5.4.42 |
|
Initials |
2.5.4.43 |
|
Locality |
2.5.4.7 |
|
Organization |
2.5.4.10 |
|
OrganizationalUnit |
2.5.4.11 |
|
Pseudonym |
2.5.4.65 |
|
SerialNumber |
2.5.4.5 |
|
State |
2.5.4.8 |
|
Surname |
2.5.4.4 |
|
Title |
2.5.4.12 |
Create CA with CustomAttribute
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Tag; import java.util.ArrayList; import java.util.Arrays; import java.util.List; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.RevocationConfiguration; public class CreateCertificateAuthorityWithCustomAttributes { public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); configCA.withSubject(subject); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Define a certificate authority type: ROOT or SUBORDINATE CertificateAuthorityType caType = CertificateAuthorityType.SUBORDINATE; // Create a tag - method 1 Tag tag1 = new Tag(); tag1.withKey("PrivateCA"); tag1.withValue("Sample"); // Create a tag - method 2 Tag tag2 = new Tag() .withKey("Purpose") .withValue("WebServices"); // Add the tags to a collection. ArrayList<Tag> tags = new ArrayList<Tag>(); tags.add(tag1); tags.add(tag2); // Create the request object. CreateCertificateAuthorityRequest req = new CreateCertificateAuthorityRequest(); req.withCertificateAuthorityConfiguration(configCA); req.withRevocationConfiguration(revokeConfig); req.withIdempotencyToken("1234"); req.withCertificateAuthorityType(caType); req.withTags(tags); // Create the private CA. CreateCertificateAuthorityResult result = null; try { result = client.createCertificateAuthority(req); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String arn = result.getCertificateAuthorityArn(); System.out.println(arn); } }
Issue a certificate with CustomAttribute
package com.amazonaws.samples; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.MalformedCSRException; public class IssueCertificateWithCustomAttributes { private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointRegion = "us-west-2"; // Substitute your region here, e.g. "us-west-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a certificate request: IssueCertificateRequest req = new IssueCertificateRequest(); // Set the CA ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:account:" + "certificate-authority/12345678-1234-1234-1234-123456789012"); // Specify the certificate signing request (CSR) for the certificate to be signed and issued. String strCSR = "-----BEGIN CERTIFICATE REQUEST-----\n" + "base64-encoded CSR\n" + "-----END CERTIFICATE REQUEST-----\n"; ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR); req.setCsr(csrByteBuffer); // Specify the template for the issued certificate. req.withTemplateArn("arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1"); // Set the signing algorithm. req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(100L); validity.withType("DAYS"); req.withValidity(validity); // Set the idempotency token. req.setIdempotencyToken("1234"); // Define custom attributes List<CustomAttribute> customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.6") // Country .withValue("US"), new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("CommonName"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("ABCDEFG"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1") // CustomOID .withValue("BCDEFGH") ); // Define certificate subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Add subject to api-passthrough ApiPassthrough apiPassthrough = new ApiPassthrough(); apiPassthrough.setSubject(subject); req.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult result = null; try { result = client.issueCertificate(req); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String arn = result.getCertificateArn(); System.out.println(arn); } }
