Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés. # Se utiliza Autoridad de certificación privada de AWS para implementar los certificados Matter Puede usar la AWS Private Certificate Authority API para crear certificados que cumplan con el estándar de [conectividad Matter](https://github.com/project-chip/connectedhomeip). Matter especifica las configuraciones de certificados que mejoran la seguridad y la coherencia de los dispositivos de Internet de las cosas (IoT) en múltiples plataformas de ingeniería. Para obtener más información de Matter, consulte [buildwithmatter.com](https://buildwithmatter.com). Matter 1.2, publicado en octubre de 2023, admite la revocación del DAC mediante listas de revocación de certificados (). CRLs Para ayudarlo a cumplir con el estándar Matter actual, al habilitar la revocación de la CRL para CAs esa emisión de certificados Matter, en el `CrlConfiguration` objeto, en la estructura, establecido en. `CrlDistributionPointExtensionConfiguration` `OmitExtension` `true` Por lo general, CAs incrusta el punto de distribución de la CRL (CDP) en los certificados que emiten para que las partes que confían en ellos y realizan la validación de la cadena de certificados puedan obtener la CRL y comprobar el estado del certificado. En Matter, el URI del CDP no se escribe en los certificados. En su lugar, los usuarios lo consultan CDPs en Matter Distributed Compliance Ledger (DCL), el almacén de datos de Matter de confianza. Debe cargar el URI del CDP en la DCL de Matter para poder detectarlo durante la validación. DACs Para obtener más información sobre cómo determinar el URI del CDP, consulte. [Determinación del URI del punto de distribución (CDP) de la CRL](crl-planning.md#crl-url) Para obtener más información sobre Matter, consulte la [página de inicio estándar de Matter](https://csa-iot.org/all-solutions/matter/). **Topics** + [Activar una autoridad de certificación de productos (PAA)](JavaApiCBC-ProductAttestationAuthorityActivation.md) + [Activar un intermedio de certificación de producto (PAI)](JavaApiCBC-ProductAttestationIntermediateActivation.md) + [Crear un certificado de atestación de dispositivos (DAC)](JavaApiCBC-DeviceAttestationCertificate.md) + [Active una CA raíz para los certificados operativos de nodo (NOC).](JavaApiCBC-ActivateRootCA.md) + [Activar una CA subordinada para los certificados operativos de nodo (NOC)](JavaApiCBC-IntermediateCAActivation.md) + [Crear un certificado operativo de nodo (NOC)](JavaApiCBC-NodeOperatingCertificate.md) # Activar una autoridad de certificación de productos (PAA) En este ejemplo de Java se muestra cómo utilizar la [Definición de Root CACertificate APIPassthrough \$1/V1](template-definitions.md#RootCACertificate_APIPassthrough) plantilla para crear e instalar un certificado [Matter](https://buildwithmatter.com) Root CA (PAA) para la certificación de productos. La extensión AuthorityKeyIdentifier (AKI) es opcional para. PAAs Para configurar una AKI, debe generar un valor de AKI codificado en Base64 y pasarlo por un. CustomExtension El ejemplo llama a las siguientes acciones de API: Autoridad de certificación privada de AWS + [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) + [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html) + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) + [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) + [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) Si tiene problemas, consulte [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) en la sección Resolución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.samples.GetCertificateAuthorityCertificate; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Tag; import java.io.ByteArrayInputStream; import java.io.InputStreamReader; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.services.acmpca.model.GetCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateResult; import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.services.acmpca.model.RevocationConfiguration; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.CertificateMismatchException; import com.amazonaws.services.acmpca.model.ConcurrentModificationException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.MalformedCertificateException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import com.amazonaws.services.acmpca.model.RequestFailedException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.AWSACMPCAException; import com.amazonaws.waiters.Waiter; import com.amazonaws.waiters.WaiterParameters; import com.amazonaws.waiters.WaiterTimedOutException; import com.amazonaws.waiters.WaiterUnrecoverableException; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.bouncycastle.util.io.pem.PemReader; import lombok.SneakyThrows; public class ProductAttestationAuthorityActivation { public static void main(String[] args) throws Exception { // Define the endpoint region for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("Matter Test PAA"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID .withValue("FFF1") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); configCA.withSubject(subject); // Define a CRL distribution point extension configuration CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration(); CDPConfigure.withOmitExtension(true); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL"); crlConfigure.withCrlDistributionPointExtensionConfiguration(CDPConfigure); // Define a certificate authority type CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT; // ** Execute core code samples for Root CA activation in sequence ** AWSACMPCA client = ClientBuilder(endpointRegion); String rootCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client); String csr = GetCertificateAuthorityCsr(rootCAArn, client); String rootCertificateArn = IssueCertificate(rootCAArn, csr, client); String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client); ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client); } private static AWSACMPCA ClientBuilder(String endpointRegion) { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); return client; } private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) { RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Create the request object. CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest(); createCARequest.withCertificateAuthorityConfiguration(configCA); createCARequest.withIdempotencyToken("123987"); createCARequest.withCertificateAuthorityType(CAtype); createCARequest.withRevocationConfiguration(revokeConfig); // Create the private CA. CreateCertificateAuthorityResult createCAResult = null; try { createCAResult = client.createCertificateAuthority(createCARequest); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String rootCAArn = createCAResult.getCertificateAuthorityArn(); System.out.println("Product Attestation Authority (PAA) Arn: " + rootCAArn); return rootCAArn; } private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN. GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest(); csrRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the CSR file. Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated(); try { getCSRWaiter.run(new WaiterParameters<>(csrRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the CSR. GetCertificateAuthorityCsrResult csrResult = null; try { csrResult = client.getCertificateAuthorityCsr(csrRequest); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Retrieve and display the CSR; String csr = csrResult.getCsr(); System.out.println(csr); return csr; } @SneakyThrows private static String generateAuthorityKeyIdentifier(final String csrPEM) { PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM); SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo(); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded(); return Base64.getEncoder().encodeToString(akiBytes); } @SneakyThrows private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) { ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes()); PemReader pemReader = new PemReader(new InputStreamReader(bais)); PEMParser parser = new PEMParser(pemReader); Object o = parser.readObject(); if (o instanceof PKCS10CertificationRequest) { return (PKCS10CertificationRequest) o; } return null; } private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) { // Create a certificate request: IssueCertificateRequest issueRequest = new IssueCertificateRequest(); // Set the CA ARN. issueRequest.withCertificateAuthorityArn(rootCAArn); // Set the template ARN. issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1"); ByteBuffer csrByteBuffer = stringToByteBuffer(csr); issueRequest.setCsr(csrByteBuffer); // Set the signing algorithm. issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(3650L); validity.withType("DAYS"); issueRequest.withValidity(validity); // Set the idempotency token. issueRequest.setIdempotencyToken("1234"); // Generate Base64 encoded extension value for AuthorityKeyIdentifier String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr); // Generate custom extension CustomExtension customExtension = new CustomExtension(); customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID customExtension.setValue(base64EncodedExtValue); // Add custom extension to api-passthrough ApiPassthrough apiPassthrough = new ApiPassthrough(); Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customExtension)); apiPassthrough.setExtensions(extensions); issueRequest.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult issueResult = null; try { issueResult = client.issueCertificate(issueRequest); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String rootCertificateArn = issueResult.getCertificateArn(); System.out.println("Product Attestation Authority (PAA) Certificate Arn: " + rootCertificateArn); return rootCertificateArn; } private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) { // Create a request object. GetCertificateRequest certificateRequest = new GetCertificateRequest(); // Set the certificate ARN. certificateRequest.withCertificateArn(rootCertificateArn); // Set the certificate authority ARN. certificateRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the certificate file. Waiter getCertificateWaiter = client.waiters().certificateIssued(); try { getCertificateWaiter.run(new WaiterParameters<>(certificateRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the certificate and certificate chain. GetCertificateResult certificateResult = null; try { certificateResult = client.getCertificate(certificateRequest); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String rootCertificate = certificateResult.getCertificate(); System.out.println(rootCertificate); return rootCertificate; } private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) { // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest(); ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate); importRequest.setCertificate(certByteBuffer); importRequest.setCertificateChain(null); // Set the certificate authority ARN. importRequest.withCertificateAuthorityArn(rootCAArn); // Import the certificate. try { client.importCertificateAuthorityCertificate(importRequest); } catch (CertificateMismatchException ex) { throw ex; } catch (MalformedCertificateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (RequestInProgressException ex) { throw ex; } catch (ConcurrentModificationException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } System.out.println("Product Attestation Authority (PAA) certificate successfully imported."); System.out.println("Product Attestation Authority (PAA) activated successfully."); } private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } } ``` # Activar un intermedio de certificación de producto (PAI) En este ejemplo de Java se muestra cómo utilizar la [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1definición](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) plantilla para crear e instalar un certificado de CA (PAI) de [Matter](https://buildwithmatter.com) Subordinate para la certificación de productos. Debe generar un KeyUsage valor codificado en Base64 y pasarlo por un. CustomExtension El ejemplo llama a las siguientes acciones de API: Autoridad de certificación privada de AWS + [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) + [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html) + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) + [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) + [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) + [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) Si tiene problemas, consulte [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) en la sección Resolución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.RevocationConfiguration; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.jce.X509KeyUsage; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.services.acmpca.model.GetCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateResult; import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.CertificateMismatchException; import com.amazonaws.services.acmpca.model.ConcurrentModificationException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.MalformedCertificateException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import com.amazonaws.services.acmpca.model.RequestFailedException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.AWSACMPCAException; import com.amazonaws.waiters.Waiter; import com.amazonaws.waiters.WaiterParameters; import com.amazonaws.waiters.WaiterTimedOutException; import com.amazonaws.waiters.WaiterUnrecoverableException; import lombok.SneakyThrows; public class ProductAttestationIntermediateActivation { public static void main(String[] args) throws Exception { // Place your own Root CA ARN here. String paaArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012"; // Define the endpoint region for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.3") // CommonName .withValue("Matter Test PAI"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID .withValue("FFF1"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.2") // Product ID .withValue("8000") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); configCA.withSubject(subject); // Define a CRL distribution point extension configuration CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration(); CDPConfigure.withOmitExtension(true); // Define a certificate revocation list configuration. CrlConfiguration crlConfigure = new CrlConfiguration(); crlConfigure.withEnabled(true); crlConfigure.withExpirationInDays(365); crlConfigure.withCustomCname(null); crlConfigure.withS3BucketName("your-bucket-name"); crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL"); crlConfigure.withCrlDistributionPointConfiguration(CDPConfigure); // Define a certificate authority type CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE; // ** Execute core code samples for Subordinate CA activation in sequence ** AWSACMPCA client = ClientBuilder(endpointRegion); String rootCertificate = GetCertificateAuthorityCertificate(paaArn, client); String subordinateCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client); String csr = GetCertificateAuthorityCsr(subordinateCAArn, client); String subordinateCertificateArn = IssueCertificate(paaArn, csr, client); String subordinateCertificate = GetCertificate(subordinateCertificateArn, paaArn, client); ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client); } private static AWSACMPCA ClientBuilder(String endpointRegion) { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); return client; } private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) { // ** GetCertificateAuthorityCertificate ** // Create a request object and set the certificate authority ARN, GetCertificateAuthorityCertificateRequest getCACertificateRequest = new GetCertificateAuthorityCertificateRequest(); getCACertificateRequest.withCertificateAuthorityArn(rootCAArn); // Create a result object. GetCertificateAuthorityCertificateResult getCACertificateResult = null; try { getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest); } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } // Retrieve and display the certificate information. String rootCertificate = getCACertificateResult.getCertificate(); System.out.println("Product Attestation Authority (PAA) Certificate / Certificate Chain:"); System.out.println(rootCertificate); return rootCertificate; } private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) { RevocationConfiguration revokeConfig = new RevocationConfiguration(); revokeConfig.setCrlConfiguration(crlConfigure); // Create the request object. CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest(); createCARequest.withCertificateAuthorityConfiguration(configCA); createCARequest.withIdempotencyToken("123987"); createCARequest.withCertificateAuthorityType(CAtype); createCARequest.withRevocationConfiguration(revokeConfig); // Create the private CA. CreateCertificateAuthorityResult createCAResult = null; try { createCAResult = client.createCertificateAuthority(createCARequest); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String subordinateCAArn = createCAResult.getCertificateAuthorityArn(); System.out.println("Product Attestation Intermediate (PAI) Arn: " + subordinateCAArn); return subordinateCAArn; } private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN. GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest(); csrRequest.withCertificateAuthorityArn(subordinateCAArn); // Create waiter to wait on successful creation of the CSR file. Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated(); try { getCSRWaiter.run(new WaiterParameters<>(csrRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch(AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the CSR. GetCertificateAuthorityCsrResult csrResult = null; try { csrResult = client.getCertificateAuthorityCsr(csrRequest); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Retrieve and display the CSR; String csr = csrResult.getCsr(); System.out.println("Subordinate CSR:"); System.out.println(csr); return csr; } private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) { // Create a certificate request: IssueCertificateRequest issueRequest = new IssueCertificateRequest(); // Set the issuing CA ARN. issueRequest.withCertificateAuthorityArn(rootCAArn); // Set the template ARN. issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1"); ByteBuffer csrByteBuffer = stringToByteBuffer(csr); issueRequest.setCsr(csrByteBuffer); // Set the signing algorithm. issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(730L); // Approximately two years validity.withType("DAYS"); issueRequest.withValidity(validity); // Set the idempotency token. issueRequest.setIdempotencyToken("1234"); ApiPassthrough apiPassthrough = new ApiPassthrough(); // Generate Base64 encoded extension value for ExtendedKeyUsage String base64EncodedKUValue = generateKeyUsageValue(); // Generate custom extension CustomExtension customKeyUsageExtension = new CustomExtension(); customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); customKeyUsageExtension.setValue(base64EncodedKUValue); customKeyUsageExtension.setCritical(true); // Set KeyUsage extension to api passthrough Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension)); apiPassthrough.setExtensions(extensions); issueRequest.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult issueResult = null; try { issueResult = client.issueCertificate(issueRequest); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String subordinateCertificateArn = issueResult.getCertificateArn(); System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn); return subordinateCertificateArn; } @SneakyThrows private static String generateKeyUsageValue() { KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); byte[] kuBytes = keyUsage.getEncoded(); return Base64.getEncoder().encodeToString(kuBytes); } private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) { // Create a request object. GetCertificateRequest certificateRequest = new GetCertificateRequest(); // Set the certificate ARN. certificateRequest.withCertificateArn(subordinateCertificateArn); // Set the certificate authority ARN. certificateRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the certificate file. Waiter getCertificateWaiter = client.waiters().certificateIssued(); try { getCertificateWaiter.run(new WaiterParameters<>(certificateRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the certificate and certificate chain. GetCertificateResult certificateResult = null; try { certificateResult = client.getCertificate(certificateRequest); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String subordinateCertificate = certificateResult.getCertificate(); System.out.println("Subordinate CA Certificate:"); System.out.println(subordinateCertificate); return subordinateCertificate; } private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) { // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest(); ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate); importRequest.setCertificate(certByteBuffer); ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate); importRequest.setCertificateChain(rootCACertByteBuffer); // Set the certificate authority ARN. importRequest.withCertificateAuthorityArn(subordinateCAArn); // Import the certificate. try { client.importCertificateAuthorityCertificate(importRequest); } catch (CertificateMismatchException ex) { throw ex; } catch (MalformedCertificateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (RequestInProgressException ex) { throw ex; } catch (ConcurrentModificationException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } System.out.println("Product Attestation Intermediate (PAI) certificate successfully imported."); System.out.println("Product Attestation Intermediate (PAI) activated successfully."); } private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } } ``` # Crear un certificado de atestación de dispositivos (DAC) En este ejemplo de Java se muestra cómo utilizar la plantilla [BlankEndEntityCertificate\$1 CriticalBasicConstraints \$1 APIPassthrough /V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) para crear un certificado de atestación de dispositivos de [Matter](https://buildwithmatter.com). Debe generar un KeyUsage valor codificado en Base64 y pasarlo por un. CustomExtension El ejemplo llama a la siguiente acción de API: Autoridad de certificación privada de AWS + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) Si tiene problemas, consulte [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) en la sección Resolución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.jce.X509KeyUsage; import lombok.SneakyThrows; public class IssueDeviceAttestationCertificate { public static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } @SneakyThrows private static String generateKeyUsageValue() { KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature); byte[] kuBytes = keyUsage.getEncoded(); return Base64.getEncoder().encodeToString(kuBytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a certificate request: IssueCertificateRequest req = new IssueCertificateRequest(); // Set the CA ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012"); // Specify the certificate signing request (CSR) for the certificate to be signed and issued. String strCSR = "-----BEGIN CERTIFICATE REQUEST-----\n" + "base64-encoded certificate\n" + "-----END CERTIFICATE REQUEST-----\n"; ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR); req.setCsr(csrByteBuffer); // Specify the template for the issued certificate. req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1"); // Set the signing algorithm. req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(10L); validity.withType("DAYS"); req.withValidity(validity); // Set the idempotency token. req.setIdempotencyToken("1234"); // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("2.5.4.3") .withValue("Matter Test DAC 0001"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.1") .withValue("FFF1"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.2.2") .withValue("8000") ); // Define a cert subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); ApiPassthrough apiPassthrough = new ApiPassthrough(); apiPassthrough.setSubject(subject); // Generate Base64 encoded extension value for ExtendedKeyUsage String base64EncodedKUValue = generateKeyUsageValue(); // Generate custom extension CustomExtension customKeyUsageExtension = new CustomExtension(); customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); // KeyUsage Extension OID customKeyUsageExtension.setValue(base64EncodedKUValue); customKeyUsageExtension.setCritical(true); Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension)); apiPassthrough.setExtensions(extensions); req.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult result = null; try { result = client.issueCertificate(req); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String arn = result.getCertificateArn(); System.out.println(arn); } } ``` # Active una CA raíz para los certificados operativos de nodo (NOC). Este ejemplo de Java muestra cómo usar la [Definición de Root CACertificate APIPassthrough \$1/V1](template-definitions.md#RootCACertificate_APIPassthrough) plantilla para crear e instalar un certificado de CA [Matter](https://buildwithmatter.com) Root para emitirlo NOCs. La extensión AuthorityKeyIdentifier (AKI) es opcional para los certificados NOC Root CA. Para configurar una AKI, debe generar un valor de AKI codificado en Base64 y pasarlo por una. CustomExtension El ejemplo llama a las siguientes acciones de API: Autoridad de certificación privada de AWS + [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) + [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html) + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) + [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) + [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) Si tiene problemas, consulte [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) en la sección Resolución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.samples.GetCertificateAuthorityCertificate; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CrlConfiguration; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Tag; import java.io.ByteArrayInputStream; import java.io.InputStreamReader; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.services.acmpca.model.GetCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateResult; import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.CertificateMismatchException; import com.amazonaws.services.acmpca.model.ConcurrentModificationException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.MalformedCertificateException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import com.amazonaws.services.acmpca.model.RequestFailedException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.RevocationConfiguration; import com.amazonaws.services.acmpca.model.AWSACMPCAException; import com.amazonaws.waiters.Waiter; import com.amazonaws.waiters.WaiterParameters; import com.amazonaws.waiters.WaiterTimedOutException; import com.amazonaws.waiters.WaiterUnrecoverableException; import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo; import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils; import org.bouncycastle.openssl.PEMParser; import org.bouncycastle.pkcs.PKCS10CertificationRequest; import org.bouncycastle.util.io.pem.PemReader; import lombok.SneakyThrows; public class RootCAActivation { public static void main(String[] args) throws Exception { // Define the endpoint region for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.1.4") .withValue("CACACACA00000001") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); configCA.withSubject(subject); // Define a certificate authority type CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT; // ** Execute core code samples for Root CA activation in sequence ** AWSACMPCA client = ClientBuilder(endpointRegion); String rootCAArn = CreateCertificateAuthority(configCA, CAtype, client); String csr = GetCertificateAuthorityCsr(rootCAArn, client); String rootCertificateArn = IssueCertificate(rootCAArn, csr, client); String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client); ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client); } private static AWSACMPCA ClientBuilder(String endpointRegion) { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); return client; } private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) { // Create the request object. CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest(); createCARequest.withCertificateAuthorityConfiguration(configCA); createCARequest.withIdempotencyToken("123987"); createCARequest.withCertificateAuthorityType(CAtype); // Create the private CA. CreateCertificateAuthorityResult createCAResult = null; try { createCAResult = client.createCertificateAuthority(createCARequest); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String rootCAArn = createCAResult.getCertificateAuthorityArn(); System.out.println("Root CA Arn: " + rootCAArn); return rootCAArn; } private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN. GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest(); csrRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the CSR file. Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated(); try { getCSRWaiter.run(new WaiterParameters<>(csrRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the CSR. GetCertificateAuthorityCsrResult csrResult = null; try { csrResult = client.getCertificateAuthorityCsr(csrRequest); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Retrieve and display the CSR; String csr = csrResult.getCsr(); System.out.println(csr); return csr; } @SneakyThrows private static String generateAuthorityKeyIdentifier(final String csrPEM) { PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM); SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo(); JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils(); byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded(); return Base64.getEncoder().encodeToString(akiBytes); } @SneakyThrows private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) { ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes()); PemReader pemReader = new PemReader(new InputStreamReader(bais)); PEMParser parser = new PEMParser(pemReader); Object o = parser.readObject(); if (o instanceof PKCS10CertificationRequest) { return (PKCS10CertificationRequest) o; } return null; } private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) { // Create a certificate request: IssueCertificateRequest issueRequest = new IssueCertificateRequest(); // Set the CA ARN. issueRequest.withCertificateAuthorityArn(rootCAArn); // Set the template ARN. issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1"); ByteBuffer csrByteBuffer = stringToByteBuffer(csr); issueRequest.setCsr(csrByteBuffer); // Set the signing algorithm. issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(3650L); validity.withType("DAYS"); issueRequest.withValidity(validity); // Set the idempotency token. issueRequest.setIdempotencyToken("1234"); // Generate Base64 encoded extension value for AuthorityKeyIdentifier String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr); // Generate custom extension CustomExtension customExtension = new CustomExtension(); customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID customExtension.setValue(base64EncodedExtValue); // Add custom extension to api-passthrough ApiPassthrough apiPassthrough = new ApiPassthrough(); Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customExtension)); apiPassthrough.setExtensions(extensions); issueRequest.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult issueResult = null; try { issueResult = client.issueCertificate(issueRequest); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String rootCertificateArn = issueResult.getCertificateArn(); System.out.println("Root Certificate Arn: " + rootCertificateArn); return rootCertificateArn; } private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) { // Create a request object. GetCertificateRequest certificateRequest = new GetCertificateRequest(); // Set the certificate ARN. certificateRequest.withCertificateArn(rootCertificateArn); // Set the certificate authority ARN. certificateRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the certificate file. Waiter getCertificateWaiter = client.waiters().certificateIssued(); try { getCertificateWaiter.run(new WaiterParameters<>(certificateRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Retrieve the certificate and certificate chain. GetCertificateResult certificateResult = null; try { certificateResult = client.getCertificate(certificateRequest); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String rootCertificate = certificateResult.getCertificate(); System.out.println(rootCertificate); return rootCertificate; } private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) { // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest(); ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate); importRequest.setCertificate(certByteBuffer); importRequest.setCertificateChain(null); // Set the certificate authority ARN. importRequest.withCertificateAuthorityArn(rootCAArn); // Import the certificate. try { client.importCertificateAuthorityCertificate(importRequest); } catch (CertificateMismatchException ex) { throw ex; } catch (MalformedCertificateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (RequestInProgressException ex) { throw ex; } catch (ConcurrentModificationException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } System.out.println("Root CA certificate successfully imported."); System.out.println("Root CA activated successfully."); } private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } } ``` # Activar una CA subordinada para los certificados operativos de nodo (NOC) En este ejemplo de Java se muestra cómo utilizar la [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1definición](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) plantilla para emitir e instalar un certificado de CA de [Matter](https://buildwithmatter.com) Subordinate que se va a emitir. NOCs Debe generar un KeyUsage valor codificado en Base64 y pasarlo por un. CustomExtension El ejemplo llama a las siguientes acciones de API: Autoridad de certificación privada de AWS + [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html) + [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html) + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) + [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html) + [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html) + [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html) Si se producen problemas, consulta [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) la sección de solución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration; import com.amazonaws.services.acmpca.model.CertificateAuthorityType; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult; import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.KeyAlgorithm; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.jce.X509KeyUsage; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest; import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult; import com.amazonaws.services.acmpca.model.GetCertificateRequest; import com.amazonaws.services.acmpca.model.GetCertificateResult; import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.CertificateMismatchException; import com.amazonaws.services.acmpca.model.ConcurrentModificationException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidPolicyException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.MalformedCertificateException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import com.amazonaws.services.acmpca.model.RequestFailedException; import com.amazonaws.services.acmpca.model.RequestInProgressException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.AWSACMPCAException; import com.amazonaws.waiters.Waiter; import com.amazonaws.waiters.WaiterParameters; import com.amazonaws.waiters.WaiterTimedOutException; import com.amazonaws.waiters.WaiterUnrecoverableException; import lombok.SneakyThrows; public class IntermediateCAActivation { public static void main(String[] args) throws Exception { // Place your own Root CA ARN here. String rootCAArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012"; // Define the endpoint region for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.1.3") .withValue("CACACACA00000003") ); // Define a CA subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); // Define the CA configuration. CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration(); configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1); configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); configCA.withSubject(subject); // Define a certificate authority type CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE; // ** Execute core code samples for Subordinate CA activation in sequence ** AWSACMPCA client = ClientBuilder(endpointRegion); String rootCertificate = GetCertificateAuthorityCertificate(rootCAArn, client); String subordinateCAArn = CreateCertificateAuthority(configCA, CAtype, client); String csr = GetCertificateAuthorityCsr(subordinateCAArn, client); String subordinateCertificateArn = IssueCertificate(rootCAArn, csr, client); String subordinateCertificate = GetCertificate(subordinateCertificateArn, rootCAArn, client); ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client); } private static AWSACMPCA ClientBuilder(String endpointRegion) { // Get your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException( "Cannot load the credentials from the credential profiles file. " + "Please make sure that your credentials file is at the correct " + "location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.", e); } String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); return client; } private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) { // ** GetCertificateAuthorityCertificate ** // Create a request object and set the certificate authority ARN, GetCertificateAuthorityCertificateRequest getCACertificateRequest = new GetCertificateAuthorityCertificateRequest(); getCACertificateRequest.withCertificateAuthorityArn(rootCAArn); // Create a result object. GetCertificateAuthorityCertificateResult getCACertificateResult = null; try { getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest); } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } // Get and display the certificate information. String rootCertificate = getCACertificateResult.getCertificate(); System.out.println("Root CA Certificate / Certificate Chain:"); System.out.println(rootCertificate); return rootCertificate; } private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) { // Create the request object. CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest(); createCARequest.withCertificateAuthorityConfiguration(configCA); createCARequest.withIdempotencyToken("123987"); createCARequest.withCertificateAuthorityType(CAtype); // Create the private CA. CreateCertificateAuthorityResult createCAResult = null; try { createCAResult = client.createCertificateAuthority(createCARequest); } catch (InvalidArgsException ex) { throw ex; } catch (InvalidPolicyException ex) { throw ex; } catch (LimitExceededException ex) { throw ex; } // Retrieve the ARN of the private CA. String subordinateCAArn = createCAResult.getCertificateAuthorityArn(); System.out.println("Subordinate CA Arn: " + subordinateCAArn); return subordinateCAArn; } private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN. GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest(); csrRequest.withCertificateAuthorityArn(subordinateCAArn); // Create waiter to wait on successful creation of the CSR file. Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated(); try { getCSRWaiter.run(new WaiterParameters<>(csrRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch(AWSACMPCAException e) { //Unexpected service exception. } // Get the CSR. GetCertificateAuthorityCsrResult csrResult = null; try { csrResult = client.getCertificateAuthorityCsr(csrRequest); } catch (RequestInProgressException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } // Get and display the CSR; String csr = csrResult.getCsr(); System.out.println("Subordinate CSR:"); System.out.println(csr); return csr; } private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) { // Create a certificate request: IssueCertificateRequest issueRequest = new IssueCertificateRequest(); // Set the issuing CA ARN. issueRequest.withCertificateAuthorityArn(rootCAArn); // Set the template ARN. issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1"); ByteBuffer csrByteBuffer = stringToByteBuffer(csr); issueRequest.setCsr(csrByteBuffer); // Set the signing algorithm. issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(730L); // Approximately two years validity.withType("DAYS"); issueRequest.withValidity(validity); // Set the idempotency token. issueRequest.setIdempotencyToken("1234"); ApiPassthrough apiPassthrough = new ApiPassthrough(); // Generate base64 encoded extension value for ExtendedKeyUsage String base64EncodedKUValue = generateKeyUsageValue(); // Generate custom extension CustomExtension customKeyUsageExtension = new CustomExtension(); customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); customKeyUsageExtension.setValue(base64EncodedKUValue); customKeyUsageExtension.setCritical(true); // Set KeyUsage extension to api passthrough Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension)); apiPassthrough.setExtensions(extensions); issueRequest.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult issueResult = null; try { issueResult = client.issueCertificate(issueRequest); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Get and display the certificate ARN. String subordinateCertificateArn = issueResult.getCertificateArn(); System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn); return subordinateCertificateArn; } @SneakyThrows private static String generateKeyUsageValue() { KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign); byte[] kuBytes = keyUsage.getEncoded(); return Base64.getEncoder().encodeToString(kuBytes); } private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) { // Create a request object. GetCertificateRequest certificateRequest = new GetCertificateRequest(); // Set the certificate ARN. certificateRequest.withCertificateArn(subordinateCertificateArn); // Set the certificate authority ARN. certificateRequest.withCertificateAuthorityArn(rootCAArn); // Create waiter to wait on successful creation of the certificate file. Waiter getCertificateWaiter = client.waiters().certificateIssued(); try { getCertificateWaiter.run(new WaiterParameters<>(certificateRequest)); } catch (WaiterUnrecoverableException e) { //Explicit short circuit when the recourse transitions into //an undesired state. } catch (WaiterTimedOutException e) { //Failed to transition into desired state even after polling. } catch (AWSACMPCAException e) { //Unexpected service exception. } // Get the certificate and certificate chain. GetCertificateResult certificateResult = null; try { certificateResult = client.getCertificate(certificateRequest); } catch (RequestInProgressException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } // Get the certificate and certificate chain and display the result. String subordinateCertificate = certificateResult.getCertificate(); System.out.println("Subordinate CA Certificate:"); System.out.println(subordinateCertificate); return subordinateCertificate; } private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) { // Create the request object and set the signed certificate, chain and CA ARN. ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest(); ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate); importRequest.setCertificate(certByteBuffer); ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate); importRequest.setCertificateChain(rootCACertByteBuffer); // Set the certificate authority ARN. importRequest.withCertificateAuthorityArn(subordinateCAArn); // Import the certificate. try { client.importCertificateAuthorityCertificate(importRequest); } catch (CertificateMismatchException ex) { throw ex; } catch (MalformedCertificateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (RequestInProgressException ex) { throw ex; } catch (ConcurrentModificationException ex) { throw ex; } catch (RequestFailedException ex) { throw ex; } System.out.println("Subordinate CA certificate successfully imported."); System.out.println("Subordinate CA activated successfully."); } private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } } ``` # Crear un certificado operativo de nodo (NOC) En este ejemplo de Java, se muestra cómo utilizar la plantilla [BlankEndEntityCertificate\$1 CriticalBasicConstraints \$1 APIPassthrough /V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) para crear un certificado operativo de [Matter](https://buildwithmatter.com) Node. Debe generar un KeyUsage valor codificado en Base64 y pasarlo por un. CustomExtension El ejemplo llama a la siguiente acción de API: Autoridad de certificación privada de AWS + [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html) Si tiene problemas, consulte [Solucione los errores de los AWS Private CA certificados compatibles con MatterErrores de certificados compatibles con Matter](TroubleshootPcaMatter.md) en la sección Resolución de problemas. ``` package com.amazonaws.samples.matter; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.profile.ProfileCredentialsProvider; import com.amazonaws.client.builder.AwsClientBuilder; import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration; import com.amazonaws.auth.AWSStaticCredentialsProvider; import java.nio.ByteBuffer; import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Base64; import java.util.List; import java.util.Objects; import com.amazonaws.services.acmpca.AWSACMPCA; import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder; import com.amazonaws.services.acmpca.model.ASN1Subject; import com.amazonaws.services.acmpca.model.ApiPassthrough; import com.amazonaws.services.acmpca.model.CustomAttribute; import com.amazonaws.services.acmpca.model.CustomExtension; import com.amazonaws.services.acmpca.model.Extensions; import com.amazonaws.services.acmpca.model.IssueCertificateRequest; import com.amazonaws.services.acmpca.model.IssueCertificateResult; import com.amazonaws.services.acmpca.model.SigningAlgorithm; import com.amazonaws.services.acmpca.model.Validity; import com.amazonaws.AmazonClientException; import com.amazonaws.services.acmpca.model.LimitExceededException; import com.amazonaws.services.acmpca.model.ResourceNotFoundException; import com.amazonaws.services.acmpca.model.InvalidStateException; import com.amazonaws.services.acmpca.model.InvalidArnException; import com.amazonaws.services.acmpca.model.InvalidArgsException; import com.amazonaws.services.acmpca.model.MalformedCSRException; import org.bouncycastle.asn1.x509.ExtendedKeyUsage; import org.bouncycastle.asn1.x509.KeyPurposeId; import org.bouncycastle.asn1.x509.KeyUsage; import org.bouncycastle.jce.X509KeyUsage; import lombok.SneakyThrows; public class IssueNodeOperatingCertificate { public static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) { return null; } byte[] bytes = string.getBytes(StandardCharsets.UTF_8); return ByteBuffer.wrap(bytes); } @SneakyThrows private static String generateExtendedKeyUsageValue() { KeyPurposeId[] keyPurposeIds = new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth }; ExtendedKeyUsage eku = new ExtendedKeyUsage(keyPurposeIds); byte[] ekuBytes = eku.getEncoded(); return Base64.getEncoder().encodeToString(ekuBytes); } @SneakyThrows private static String generateKeyUsageValue() { KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature); byte[] kuBytes = keyUsage.getEncoded(); return Base64.getEncoder().encodeToString(kuBytes); } public static void main(String[] args) throws Exception { // Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux. AWSCredentials credentials = null; try { credentials = new ProfileCredentialsProvider("default").getCredentials(); } catch (Exception e) { throw new AmazonClientException("Cannot load your credentials from disk", e); } // Define the endpoint for your sample. String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2" String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/"; EndpointConfiguration endpoint = new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion); // Create a client that you can use to make requests. AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint) .withCredentials(new AWSStaticCredentialsProvider(credentials)) .build(); // Create a certificate request: IssueCertificateRequest req = new IssueCertificateRequest(); // Set the CA ARN. req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012"); // Specify the certificate signing request (CSR) for the certificate to be signed and issued. String strCSR = "-----BEGIN CERTIFICATE REQUEST-----\n" + "base64-encoded certificate\n" + "-----END CERTIFICATE REQUEST-----\n"; ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR); req.setCsr(csrByteBuffer); // Specify the template for the issued certificate. req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1"); // Set the signing algorithm. req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA); // Set the validity period for the certificate to be issued. Validity validity = new Validity(); validity.withValue(10L); validity.withType("DAYS"); req.withValidity(validity); // Set the idempotency token. req.setIdempotencyToken("1234"); // Define custom attributes List customAttributes = Arrays.asList( new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.1.1") .withValue("DEDEDEDE00010001"), new CustomAttribute() .withObjectIdentifier("1.3.6.1.4.1.37244.1.5") .withValue("FAB000000000001D") ); // Define a cert subject. ASN1Subject subject = new ASN1Subject(); subject.setCustomAttributes(customAttributes); ApiPassthrough apiPassthrough = new ApiPassthrough(); apiPassthrough.setSubject(subject); // Generate Base64 encoded extension value for ExtendedKeyUsage String base64EncodedKUValue = generateKeyUsageValue(); // Generate custom extension CustomExtension customKeyUsageExtension = new CustomExtension(); customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); customKeyUsageExtension.setValue(base64EncodedKUValue); customKeyUsageExtension.setCritical(true); // Generate Base64 encoded extension value for ExtendedKeyUsage String base64EncodedEKUValue = generateExtendedKeyUsageValue(); CustomExtension customExtendedKeyUsageExtension = new CustomExtension(); customExtendedKeyUsageExtension.setObjectIdentifier("2.5.29.37"); // ExtendedKeyUsage Extension OID customExtendedKeyUsageExtension.setValue(base64EncodedEKUValue); customExtendedKeyUsageExtension.setCritical(true); // Set KeyUsage and ExtendedKeyUsage extension to api-passthrough Extensions extensions = new Extensions(); extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension, customExtendedKeyUsageExtension)); apiPassthrough.setExtensions(extensions); req.setApiPassthrough(apiPassthrough); // Issue the certificate. IssueCertificateResult result = null; try { result = client.issueCertificate(req); } catch (LimitExceededException ex) { throw ex; } catch (ResourceNotFoundException ex) { throw ex; } catch (InvalidStateException ex) { throw ex; } catch (InvalidArnException ex) { throw ex; } catch (InvalidArgsException ex) { throw ex; } catch (MalformedCSRException ex) { throw ex; } // Retrieve and display the certificate ARN. String arn = result.getCertificateArn(); System.out.println(arn); } } ```