0

我有一个根 CA 证书及其私钥(CAcert.pem 和 CApvtkey.key)。

根 CA 证书已在 AWS IoT 核心上注册。这将用于自签名和验证其他证书以进行身份​​验证。

我正在尝试使用 Java 创建由我的根 CA 证书签名的证书,但运气不佳。

AWS IoT Java SDK 提供了生成证书以及在 AWS 上注册/激活它们的功能,但我不知道如何使用我的根 CA 证书对其进行签名并激活它们。

我只有这个:

  //Previous code sets up thing name etc...

  CreateThingResult resp1 = client.createThing(thingRequest);

  CreateKeysAndCertificateRequest req = new CreateKeysAndCertificateRequest();
  req.setSetAsActive(true);
  CreateKeysAndCertificateResult resp2 = client.createKeysAndCertificate(req);

  client.attachThingPrincipal(new AttachThingPrincipalRequest().
            withPrincipal(resp2.getCertificateArn()).withThingName("Java-App_Thing"));

有人知道如何创建将由我的 CA 证书签名的证书吗?

4

2 回答 2

1

因此,AWS 上的文档非常模糊。我遇到过同样的问题。这是我修复它的方法。假设您使用 AWS IoT 注册了 CA,即使您为上传的 CA 启用自动注册,AWS IoT 也不会允许设备连接。证书将有几个用于 JiT(及时)注册的选项。

  1. 创建Lamba以在一定条件下激活设备;
  2. 列出 MQTT 上的事件以激活证书;
  3. 注册公钥。

AWS Docs https://docs.aws.amazon.com/iot/latest/developerguide/auto-register-device-cert.html中描述了选项 1 和 2

执行选项 3 的步骤:

  1. 注册事物
software.amazon.awssdk.services.iot.IotClient iotClient = IotClient.create()
//This allows AWS Credentials to be picked up using DefaultAWSCredentialsProviderChain
CreateThingRequest thingToBeCreated =
CreateThingRequest.builder().thingName("Unique Id of Device").build();
iotClient.createThing(thingToBeCreated);
  1. 注册并激活设备的公钥。
RegisterCertificateRequest registerCertificateRequest = RegisterCertificateRequest.builder()
.caCertificatePem("CA Pem as String")
.certificatePem("Device Public Key in Pem as String")
.setAsActive(true)
.build();
final RegisterCertificateResponse registerCertificateResponse = iotClient.registerCertificate(registerCertificateRequest);
  1. 将证书附加到事物上。
AttachThingPrincipalRequest attachThingPrincipalRequest = AttachThingPrincipalRequest.builder()
.thingName("Unique Id of Device")
.principal(registerCertificateResponse.certificateArn())
.build();
iotClient.attachThingPrincipal(attachThingPrincipalRequest);
  1. 可选,将策略附加到事物以便它可以连接。
AttachPolicyRequest attachPolicyRequest = AttachPolicyRequest.builder()
.policyName("policy_that_allow_device_connections")
.target(registerCertificateResponse.certificateArn())
.build();
iotClient.attachPolicy(attachPolicyRequest);
于 2020-10-06T16:30:40.920 回答
0

谢谢!!!以上步骤对我有用,代码需要以下依赖项,

<dependency>
    <groupId>software.amazon.awssdk</groupId>
    <artifactId>iot</artifactId>
    <version>2.17.121</version>
</dependency>

同样在这里,我为相同的过程使用了另一个库。步骤是,

  1. 在 AWS IoT 核心中使用验证证书注册 RootCA
  2. 创建事物并附加设备证书和策略以以编程方式连接

所以现在详细说明:

  1. 在 AWS IoT 核心中使用验证证书注册 RootCA

    按照链接 https://docs.aws.amazon.com/iot/latest/developerguide/register-CA-cert.html

  2. 创建事物并附加设备证书和策略以以编程方式连接

以下以编程方式执行该过程所需的步骤,

需要的依赖:

<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-iot-device-sdk-java</artifactId>
    <version>1.3.9</version>
</dependency>

<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-core</artifactId>
    <version>1.12.150</version>
</dependency>

<dependency>
    <groupId>com.amazonaws</groupId>
    <artifactId>aws-java-sdk-iot</artifactId>
    <version>1.12.150</version>
</dependency>

AWS 配置类:

public class AwsConfig {

    @Bean
    public AWSIot getIotClient() {
        return AWSIotClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials("users_aws_access_key", "users_aws_secret_key")))
                .withRegion("users_aws_region").build();
    }   
}

服务等级:

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import com.amazonaws.services.iot.model.AttachPolicyRequest;
import com.amazonaws.services.iot.model.AttachPolicyResult;
import com.amazonaws.services.iot.model.AttachThingPrincipalRequest;
import com.amazonaws.services.iot.model.AttachThingPrincipalResult;
import com.amazonaws.services.iot.model.CertificateStatus;
import com.amazonaws.services.iot.model.CreateThingRequest;
import com.amazonaws.services.iot.model.CreateThingResult;
import com.amazonaws.services.iot.model.DescribeThingRequest;
import com.amazonaws.services.iot.model.DescribeThingResult;
import com.amazonaws.services.iot.model.RegisterCertificateRequest;
import com.amazonaws.services.iot.model.RegisterCertificateResult;
import com.amazonaws.services.iot.model.ResourceNotFoundException;

@Service
public class RegisterService {

    @Autowired
    private AwsConfig iotClient;

    public String RegisterDevice() {

        // check if thing Already exists
        if (!describeThing("Unique Id of Device")) {

            // Thing Creation
            CreateThingResult response = iotClient.getIotClient()
                    .createThing(new CreateThingRequest().withThingName("Unique Id of Device/Thing"));

            // Register and activate the Public Key of the device
            RegisterCertificateResult registerCert = iotClient.getIotClient()
                    .registerCertificate(new RegisterCertificateRequest().withCaCertificatePem("CA Pem as String")
                            .withCertificatePem("Device Public Key in Pem as String").withStatus(CertificateStatus.ACTIVE));

            // Attach the Cert to the thing
            AttachThingPrincipalResult attachThingPrincipalResult = iotClient.getIotClient().attachThingPrincipal(
                    new AttachThingPrincipalRequest()
                        .withThingName("Unique Id of Device/Thing").withPrincipal(registerCert.getCertificateArn()));

            // Attach policies to the thing so it can connect
            AttachPolicyResult policyResult = iotClient.getIotClient()
                    .attachPolicy(new AttachPolicyRequest()
                        .withPolicyName("policy_that_allow_device_connections").withTarget(registerCert.getCertificateArn()));

            return "Thing Created Successfully";
        }   
        
        // Thing exists
        return "Thing Already Exists on IoT Console";
    }

    private boolean describeThing(String thingName) {
        if (thingName == null) {
            return false;
        }
        try {
            describeThingResponse(thingName);
            return true;
        } catch (ResourceNotFoundException e) {
            // e.printStackTrace();
            return false;
        }
    }

    private DescribeThingResult describeThingResponse(String thingName) {
        DescribeThingRequest describeThingRequest = new DescribeThingRequest();
        describeThingRequest.setThingName(thingName);
        return iotClient.getIotClient().describeThing(describeThingRequest);
    }
    
}
于 2022-02-09T20:35:40.850 回答