ACM 範例使用 AWS CLI - AWS Command Line Interface

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

ACM 範例使用 AWS CLI

下列程式碼範例說明如何使用 ACM 來執行動作和實作常見案例。 AWS Command Line Interface

Actions 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境和跨服務範例中查看內容中的動作。

Scenarios (案例) 是向您展示如何呼叫相同服務中的多個函數來完成特定任務的程式碼範例。

每個範例都包含一個連結 GitHub,您可以在其中找到如何在內容中設定和執行程式碼的指示。

主題

動作

下列程式碼範例會示範如何使用add-tags-to-certificate

AWS CLI

若要將標籤新增至現有的 ACM 憑證

下列add-tags-to-certificate命令會將兩個標籤新增至指定的憑證。使用空格來分隔多個標籤:

aws acm add-tags-to-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --tags Key=Admin,Value=Alice Key=Purpose,Value=Website

下列程式碼範例會示範如何使用delete-certificate

AWS CLI

從您的帳戶刪除 ACM 憑證

下列delete-certificate命令會刪除具有指定 ARN 的憑證:

aws acm delete-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

下列程式碼範例會示範如何使用describe-certificate

AWS CLI

擷取 ACM 憑證中包含的欄位

下列describe-certificate命令會擷取具有指定 ARN 之憑證的所有欄位:

aws acm describe-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

會顯示類似下列內容的輸出:

{ "Certificate": { "CertificateArn": "arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012", "CreatedAt": 1446835267.0, "DomainName": "www.example.com", "DomainValidationOptions": [ { "DomainName": "www.example.com", "ValidationDomain": "www.example.com", "ValidationEmails": [ "hostmaster@example.com", "admin@example.com", "owner@example.com.whoisprivacyservice.org", "tech@example.com.whoisprivacyservice.org", "admin@example.com.whoisprivacyservice.org", "postmaster@example.com", "webmaster@example.com", "administrator@example.com" ] }, { "DomainName": "www.example.net", "ValidationDomain": "www.example.net", "ValidationEmails": [ "postmaster@example.net", "admin@example.net", "owner@example.net.whoisprivacyservice.org", "tech@example.net.whoisprivacyservice.org", "admin@example.net.whoisprivacyservice.org", "hostmaster@example.net", "administrator@example.net", "webmaster@example.net" ] } ], "InUseBy": [], "IssuedAt": 1446835815.0, "Issuer": "Amazon", "KeyAlgorithm": "RSA-2048", "NotAfter": 1478433600.0, "NotBefore": 1446768000.0, "Serial": "0f:ac:b0:a3:8d:ea:65:52:2d:7d:01:3a:39:36:db:d6", "SignatureAlgorithm": "SHA256WITHRSA", "Status": "ISSUED", "Subject": "CN=www.example.com", "SubjectAlternativeNames": [ "www.example.com", "www.example.net" ] } }

下列程式碼範例會示範如何使用export-certificate

AWS CLI

匯出私有 CA 發行的私有憑證。

下列export-certificate命令會將私人憑證、憑證鏈結和私密金鑰匯出至您的顯示器:

aws acm export-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --passphrase file://path-to-passphrase-file

若要將憑證、鏈結和私密金鑰匯出至本機檔案,請使用下列命令:

aws acm export-certificate --certificate-arn arn:aws:acm:region:sccount:certificate/12345678-1234-1234-1234-123456789012 --passphrase file://path-to-passphrase-file > c:\temp\export.txt

下列程式碼範例會示範如何使用get-certificate

AWS CLI

若要擷取 ACM 憑證

下列get-certificate命令會擷取指定 ARN 和憑證鏈結的憑證:

aws acm get-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

會顯示類似下列內容的輸出:

{ "Certificate": "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE-----", "CertificateChain": "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE-----", "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE-----", "-----BEGIN CERTIFICATE----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w0BAQUFADCBiDELMAkGA1UEBhMC VVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6 b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAd BgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wHhcNMTEwNDI1MjA0NTIxWhcN MTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYD VQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25z b2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFt YXpvbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ 21uUSfwfEvySWtC2XADZ4nB+BLYgVIk60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9T rDHudUZg3qX4waLG5M43q7Wgc/MbQITxOUSQv7c7ugFFDzQGBzZswY6786m86gpE Ibb3OhjZnzcvQAaRHhdlQWIMm2nrAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4 nUhVVxYUntneD9+h8Mg9q6q+auNKyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0Fkb FFBjvSfpJIlJ00zbhNYS5f6GuoEDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTb NYiytVbZPQUQ5Yaxu2jXnimvw3rrszlaEXAMPLE= -----END CERTIFICATE-----" }
  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetCertificate中的。

下列程式碼範例會示範如何使用import-certificate

AWS CLI

將憑證匯入 ACM。

下列import-certificate命令會將憑證匯入 ACM。用您自己的文件名替換文件名:

aws acm import-certificate --certificate file://Certificate.pem --certificate-chain file://CertificateChain.pem --private-key file://PrivateKey.pem

下列程式碼範例會示範如何使用list-certificates

AWS CLI

列出帳戶的 ACM 憑證 AWS

下列list-certificates命令會列出您帳戶中憑證的 ARN:

aws acm list-certificates

上述命令會產生類似下列的輸出:

{ "CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012", "DomainName": "www.example.com" }, { "CertificateArn": "arn:aws:acm:region:account:certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "DomainName": "www.example.net" } ] }

您可以決定每次呼叫時要顯示多少憑證list-certificates。例如,如果您有四個憑證,而且想要一次顯示不超過兩個憑證,請將max-items引數設定為 2,如下列範例所示:

aws acm list-certificates --max-items 2

將顯示兩個憑證 ARN 和一個NextToken值:

"CertificateSummaryList": [ { "CertificateArn": "arn:aws:acm:region:account: \ certificate/12345678-1234-1234-1234-123456789012", "DomainName": "www.example.com" }, { "CertificateArn": "arn:aws:acm:region:account: \ certificate/aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee", "DomainName": "www.example.net" } ], "NextToken": "9f4d9f69-275a-41fe-b58e-2b837bd9ba48"

若要在您的帳戶中顯示接下來的兩個憑證,請在下次通話中設定此NextToken值:

aws acm list-certificates --max-items 2 --next-token 9f4d9f69-275a-41fe-b58e-2b837bd9ba48

您可以使用certificate-statuses引數篩選輸出。下列命令會顯示具有「驗證」狀態的憑證:

aws acm list-certificates --certificate-statuses PENDING_VALIDATION

您也可以使用includes引數篩選輸出。下列命令會顯示根據下列內容篩選的憑證。要顯示的憑證:

- Specify that the RSA algorithm and a 2048 bit key are used to generate key pairs. - Contain a Key Usage extension that specifies that the certificates can be used to create digital signatures. - Contain an Extended Key Usage extension that specifies that the certificates can be used for code signing. aws acm list-certificates --max-items 10 --includes extendedKeyUsage=CODE_SIGNING,keyUsage=DIGITAL_SIGNATURE,keyTypes=RSA_2048
  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考ListCertificates中的。

下列程式碼範例會示範如何使用list-tags-for-certificate

AWS CLI

列出套用至 ACM 憑證的標籤

下列list-tags-for-certificate命令會列出套用至您帳戶中憑證的標籤:

aws acm list-tags-for-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012

上述命令會產生類似下列的輸出:

{ "Tags": [ { "Value": "Website", "Key": "Purpose" }, { "Value": "Alice", "Key": "Admin" } ] }

下列程式碼範例會示範如何使用remove-tags-from-certificate

AWS CLI

若要從 ACM 憑證移除標籤

下列remove-tags-from-certificate命令會從指定的憑證移除兩個標籤。使用空格來分隔多個標籤:

aws acm remove-tags-from-certificate --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --tags Key=Admin,Value=Alice Key=Purpose,Value=Website

下列程式碼範例會示範如何使用request-certificate

AWS CLI

要求新的 ACM 憑證

下列request-certificate命令會使用 DNS 驗證為 www.example.com 網域要求新憑證:

aws acm request-certificate --domain-name www.example.com --validation-method DNS

您可以輸入冪等權杖來區分呼叫:request-certificate

aws acm request-certificate --domain-name www.example.com --validation-method DNS --idempotency-token 91adc45q

您可以輸入一或多個主體替代名稱來要求保護多個頂點網域的憑證:

aws acm request-certificate --domain-name example.com --validation-method DNS --idempotency-token 91adc45q --subject-alternative-names www.example.net

您可以輸入替代名稱,該名稱也可以用來訪問您的網站:

aws acm request-certificate --domain-name example.com --validation-method DNS --idempotency-token 91adc45q --subject-alternative-names www.example.com

您可以使用星號 (*) 作為萬用字元,為相同網域中的多個子網域建立憑證:

aws acm request-certificate --domain-name example.com --validation-method DNS --idempotency-token 91adc45q --subject-alternative-names *.example.com

您也可以輸入多個替代名稱:

aws acm request-certificate --domain-name example.com --validation-method DNS --subject-alternative-names b.example.com c.example.com d.example.com

如果您使用電子郵件進行驗證,則可以輸入網域驗證選項,以指定要傳送驗證電子郵件的網域:

aws acm request-certificate --domain-name example.com --validation-method EMAIL --subject-alternative-names www.example.com --domain-validation-options DomainName=example.com,ValidationDomain=example.com

當您要求新的憑證時,下列命令會選擇退出憑證透明度記錄:

aws acm request-certificate --domain-name www.example.com --validation-method DNS --options CertificateTransparencyLoggingPreference=DISABLED --idempotency-token 184627

下列程式碼範例會示範如何使用resend-validation-email

AWS CLI

重新傳送 ACM 憑證要求的驗證電子郵件

下列resend-validation-email命令告訴 Amazon 憑證授權單位將驗證電子郵件傳送到適當的地址:

aws acm resend-validation-email --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --domain www.example.com --validation-domain example.com

下列程式碼範例會示範如何使用update-certificate-options

AWS CLI

更新憑證選項

下列update-certificate-options命令選擇退出憑證透明度記錄:

aws acm update-certificate-options --certificate-arn arn:aws:acm:region:account:certificate/12345678-1234-1234-1234-123456789012 --options CertificateTransparencyLoggingPreference=DISABLED