本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
列出私有憑證
若要列出私有憑證,請產生稽核報告、從 S3 儲存貯體擷取該憑證,然後視需要剖析報告內容。如需有關建立AWS 私有 CA稽核報告的資訊,請參閱將稽核報告與您的私有 CA 搭配使用。如需從 S3 儲存貯體擷取物件的相關資訊,請參閱 Amazon 簡單儲存服務使用者指南中的下載物件。
下列範例說明建立稽核報告及剖析這些報表以取得有用資料的方法。結果以 JSON 格式化,並使用類似 sed 的解析器 jq
1. 建立稽核報告。
下列指令會產生指定 CA 的稽核報告。
$
aws acm-pca create-certificate-authority-audit-report \ --region
region
\ --certificate-authority-arn arn:aws
:acm-pca:us-east-1
:111122223333
:certificate-authority/11223344-1234-1122-2233-112233445566
\ --s3-bucket-namebucket_name
\ --audit-report-response-format JSON
成功時,命令會傳回新稽核報告的 ID 和位置。
{
"AuditReportId":"audit_report_ID
",
"S3Key":"audit-report/CA_ID
/audit_report_ID.json
"
}
2. 擷取稽核報告並格式化。
此命令會擷取稽核報告,在標準輸出中顯示其內容,並篩選結果以僅顯示在 2020-12-01 或之後發行的憑證。
$
aws s3api get-object \ --region
region
\ --bucketbucket_name
\ --key audit-report/CA_ID
/audit_report_ID.json
\ /dev/stdout | jq '.[] | select(.issuedAt >= "2020-12-01")'
退回的項目如下所示:
{
"awsAccountId":"account
",
"certificateArn":"arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial":"serial_number
",
"subject":"CN=pca.alpha.root2.leaf5",
"notBefore":"2020-12-21T21:28:09+0000",
"notAfter":"9999-12-31T23:59:59+0000",
"issuedAt":"2020-12-21T22:28:09+0000",
"templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
3. 在本機儲存稽核報告。
如果要執行多個查詢,可以方便地將稽核報告儲存至本端檔案。
$
aws s3api get-object \ --region
region
\ --bucketbucket_name
\ --key audit-report/CA_ID
/audit_report_ID.json
>my_local_audit_report.json
與以前相同的過濾器產生相同的輸出:
$
cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-12-01")'
{
"awsAccountId":"account
",
"certificateArn":"arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial":"serial_number
",
"subject":"CN=pca.alpha.root2.leaf5",
"notBefore":"2020-12-21T21:28:09+0000",
"notAfter":"9999-12-31T23:59:59+0000",
"issuedAt":"2020-12-21T22:28:09+0000",
"templateArn":"arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
4. 在日期範圍內查詢
您可以查詢日期範圍內發行的憑證,如下所示:
$
cat my_local_audit_report.json | jq '.[] | select(.issuedAt >= "2020-11-01" and .issuedAt <= "2020-11-10")'
篩選的內容會顯示在標準輸出中:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf1",
"notBefore": "2020-11-06T19:18:21+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:18:22+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.rsa2048sha256",
"notBefore": "2020-11-06T19:15:46+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:15:46+0000",
"templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf2",
"notBefore": "2020-11-06T20:04:39+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T21:04:39+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
5. 依照指定的範本搜尋憑證。
下列命令會使用範本 ARN 篩選報告內容:
$
cat my_local_audit_report.json | jq '.[] | select(.templateArn == "arn:aws:acm-pca:::template/RootCACertificate/V1")'
輸出會顯示相符的憑證記錄:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.rsa2048sha256",
"notBefore": "2020-11-06T19:15:46+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:15:46+0000",
"templateArn": "arn:aws:acm-pca:::template/RootCACertificate/V1"
}
6. 篩選已撤銷的憑證
若要尋找所有已撤銷的憑證,請使用下列命令:
$
cat my_local_audit_report.json | jq '.[] | select(.revokedAt != null)'
已撤銷的憑證會顯示如下:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf2",
"notBefore": "2020-11-06T20:04:39+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T21:04:39+0000",
"revokedAt": "2021-05-27T18:57:32+0000",
"revocationReason": "UNSPECIFIED",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
7. 使用規則運算式篩選。
下列命令會搜尋包含「leaf」字串的主旨名稱:
$
cat my_local_audit_report.json | jq '.[] | select(.subject|test("leaf"))'
相符的憑證記錄會傳回如下:
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.roo2.leaf4",
"notBefore": "2020-11-16T18:17:10+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-16T19:17:12+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf5",
"notBefore": "2020-12-21T21:28:09+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-12-21T22:28:09+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}
{
"awsAccountId": "account
",
"certificateArn": "arn:aws:acm-pca:region
:account
:certificate-authority/CA_ID
/certificate/certificate_ID
",
"serial": "serial_number
",
"subject": "CN=pca.alpha.root2.leaf1",
"notBefore": "2020-11-06T19:18:21+0000",
"notAfter": "9999-12-31T23:59:59+0000",
"issuedAt": "2020-11-06T20:18:22+0000",
"templateArn": "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
}