Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
# Utilizzare CA privata AWS per implementare i certificati Matter
Puoi utilizzare l' AWS Autorità di certificazione privata API per creare certificati conformi allo standard di connettività [Matter](https://github.com/project-chip/connectedhomeip). Matter specifica configurazioni di certificati che migliorano la sicurezza e la coerenza dei dispositivi Internet of Things (IoT) su più piattaforme di progettazione. [Per ulteriori informazioni su Matter, vedere buildwithmatter.com.](https://buildwithmatter.com)
Matter 1.2, rilasciato nell'ottobre 2023, supporta la revoca del DAC utilizzando Certificate Revocation Lists (). CRLs Per aiutarvi a conformarvi all'attuale standard Matter, quando abilitate la revoca CRL per i certificati Matter di CAs quell'emissione, nell'`CrlConfiguration`oggetto, nella struttura, impostate su. `CrlDistributionPointExtensionConfiguration` `OmitExtension` `true`
In genere, CAs incorporate il CRL Distribution Point (CDP) nei certificati che emettono in modo che le parti relative che eseguono la convalida della catena di certificati possano recuperare il CRL e verificare lo stato del certificato. In Matter, l'URI CDP non è scritto nei certificati. Gli utenti eseguono invece il recupero CDPs dal Matter Distributed Compliance Ledger (DCL), l'affidabile archivio dati Matter. È necessario caricare l'URI CDP su Matter DCL in modo che possa essere scoperto durante la convalida. DACs Per ulteriori informazioni sulla determinazione dell'URI CDP, consulta. [Determinazione dell'URI del punto di distribuzione CRL (CDP)](crl-planning.md#crl-url) Per ulteriori informazioni su Matter, consulta la [home page standard di Matter](https://csa-iot.org/all-solutions/matter/).
**Topics**
+ [Attiva una Product Attestation Authority (PAA)](JavaApiCBC-ProductAttestationAuthorityActivation.md)
+ [Attiva un PAI (Product Attestation Intermediate)](JavaApiCBC-ProductAttestationIntermediateActivation.md)
+ [Creare un certificato di attestazione del dispositivo (DAC)](JavaApiCBC-DeviceAttestationCertificate.md)
+ [Attiva una CA principale per i certificati operativi dei nodi (NOC).](JavaApiCBC-ActivateRootCA.md)
+ [Attivazione di una CA subordinata per i certificati operativi dei nodi (NOC)](JavaApiCBC-IntermediateCAActivation.md)
+ [Creare un certificato operativo del nodo (NOC)](JavaApiCBC-NodeOperatingCertificate.md)
# Attiva una Product Attestation Authority (PAA)
Questo esempio di Java mostra come utilizzare il [Definizione Root CACertificate \$1 APIPassthrough /V1](template-definitions.md#RootCACertificate_APIPassthrough) modello per creare e installare un certificato [Matter](https://buildwithmatter.com) Root CA (PAA) per l'attestazione del prodotto. L'estensione AuthorityKeyIdentifier (AKI) è facoltativa per. PAAs Per impostare un AKI, è necessario generare un valore AKI con codifica Base64 e passarlo attraverso un. CustomExtension
L'esempio richiama le seguenti azioni API: CA privata AWS
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
In caso di problemi, consulta [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.samples.GetCertificateAuthorityCertificate;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemReader;
import lombok.SneakyThrows;
public class ProductAttestationAuthorityActivation {
public static void main(String[] args) throws Exception {
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("Matter Test PAA"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID
.withValue("FFF1")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a CRL distribution point extension configuration
CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration();
CDPConfigure.withOmitExtension(true);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL");
crlConfigure.withCrlDistributionPointExtensionConfiguration(CDPConfigure);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT;
// ** Execute core code samples for Root CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client);
String csr = GetCertificateAuthorityCsr(rootCAArn, client);
String rootCertificateArn = IssueCertificate(rootCAArn, csr, client);
String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) {
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
createCARequest.withRevocationConfiguration(revokeConfig);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String rootCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Product Attestation Authority (PAA) Arn: " + rootCAArn);
return rootCAArn;
}
private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println(csr);
return csr;
}
@SneakyThrows
private static String generateAuthorityKeyIdentifier(final String csrPEM) {
PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM);
SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo();
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded();
return Base64.getEncoder().encodeToString(akiBytes);
}
@SneakyThrows
private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) {
ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes());
PemReader pemReader = new PemReader(new InputStreamReader(bais));
PEMParser parser = new PEMParser(pemReader);
Object o = parser.readObject();
if (o instanceof PKCS10CertificationRequest) {
return (PKCS10CertificationRequest) o;
}
return null;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(3650L);
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
// Generate Base64 encoded extension value for AuthorityKeyIdentifier
String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr);
// Generate custom extension
CustomExtension customExtension = new CustomExtension();
customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID
customExtension.setValue(base64EncodedExtValue);
// Add custom extension to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String rootCertificateArn = issueResult.getCertificateArn();
System.out.println("Product Attestation Authority (PAA) Certificate Arn: " + rootCertificateArn);
return rootCertificateArn;
}
private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(rootCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String rootCertificate = certificateResult.getCertificate();
System.out.println(rootCertificate);
return rootCertificate;
}
private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificate(certByteBuffer);
importRequest.setCertificateChain(null);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(rootCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Product Attestation Authority (PAA) certificate successfully imported.");
System.out.println("Product Attestation Authority (PAA) activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Attiva un PAI (Product Attestation Intermediate)
Questo esempio di Java mostra come utilizzare il [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1definizione](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) modello per creare e installare un certificato [Matter](https://buildwithmatter.com) Subordinate CA (PAI) per l'attestazione del prodotto. È necessario generare un valore con codifica Base64 e passarlo tramite KeyUsage un. CustomExtension
L'esempio richiama le seguenti azioni API: CA privata AWS
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
+ [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
In caso di problemi, consulta [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import lombok.SneakyThrows;
public class ProductAttestationIntermediateActivation {
public static void main(String[] args) throws Exception {
// Place your own Root CA ARN here.
String paaArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("Matter Test PAI"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID
.withValue("FFF1"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.2") // Product ID
.withValue("8000")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a CRL distribution point extension configuration
CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration();
CDPConfigure.withOmitExtension(true);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL");
crlConfigure.withCrlDistributionPointConfiguration(CDPConfigure);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE;
// ** Execute core code samples for Subordinate CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCertificate = GetCertificateAuthorityCertificate(paaArn, client);
String subordinateCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client);
String csr = GetCertificateAuthorityCsr(subordinateCAArn, client);
String subordinateCertificateArn = IssueCertificate(paaArn, csr, client);
String subordinateCertificate = GetCertificate(subordinateCertificateArn, paaArn, client);
ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) {
// ** GetCertificateAuthorityCertificate **
// Create a request object and set the certificate authority ARN,
GetCertificateAuthorityCertificateRequest getCACertificateRequest =
new GetCertificateAuthorityCertificateRequest();
getCACertificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create a result object.
GetCertificateAuthorityCertificateResult getCACertificateResult = null;
try {
getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest);
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
}
// Retrieve and display the certificate information.
String rootCertificate = getCACertificateResult.getCertificate();
System.out.println("Product Attestation Authority (PAA) Certificate / Certificate Chain:");
System.out.println(rootCertificate);
return rootCertificate;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) {
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
createCARequest.withRevocationConfiguration(revokeConfig);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String subordinateCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Product Attestation Intermediate (PAI) Arn: " + subordinateCAArn);
return subordinateCAArn;
}
private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(subordinateCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch(AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println("Subordinate CSR:");
System.out.println(csr);
return csr;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the issuing CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(730L); // Approximately two years
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
ApiPassthrough apiPassthrough = new ApiPassthrough();
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Set KeyUsage extension to api passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String subordinateCertificateArn = issueResult.getCertificateArn();
System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn);
return subordinateCertificateArn;
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(subordinateCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String subordinateCertificate = certificateResult.getCertificate();
System.out.println("Subordinate CA Certificate:");
System.out.println(subordinateCertificate);
return subordinateCertificate;
}
private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate);
importRequest.setCertificate(certByteBuffer);
ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificateChain(rootCACertByteBuffer);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(subordinateCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Product Attestation Intermediate (PAI) certificate successfully imported.");
System.out.println("Product Attestation Intermediate (PAI) activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Creare un certificato di attestazione del dispositivo (DAC)
Questo esempio di Java mostra come utilizzare il modello [BlankEndEntityCertificate\$1 CriticalBasicConstraints \$1 APIPassthrough /V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) per creare un certificato di attestazione del dispositivo [Matter](https://buildwithmatter.com). È necessario generare un valore con codifica Base64 e passarlo tramite KeyUsage un. CustomExtension
L'esempio richiama la seguente azione API: CA privata AWS
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
In caso di problemi, consulta [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import lombok.SneakyThrows;
public class IssueDeviceAttestationCertificate {
public static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded certificate\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(10L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3")
.withValue("Matter Test DAC 0001"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1")
.withValue("FFF1"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.2")
.withValue("8000")
);
// Define a cert subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); // KeyUsage Extension OID
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}
```
# Attiva una CA principale per i certificati operativi dei nodi (NOC).
Questo esempio di Java mostra come utilizzare il [Definizione Root CACertificate \$1 APIPassthrough /V1](template-definitions.md#RootCACertificate_APIPassthrough) modello per creare e installare un certificato [Matter](https://buildwithmatter.com) Root CA da emettere NOCs. L'estensione AuthorityKeyIdentifier (AKI) è facoltativa per i certificati NOC Root CA. Per impostare un AKI, è necessario generare un valore AKI con codifica Base64 e passarlo tramite un. CustomExtension
L'esempio richiama le seguenti azioni API: CA privata AWS
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
In caso di problemi, consulta [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.samples.GetCertificateAuthorityCertificate;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemReader;
import lombok.SneakyThrows;
public class RootCAActivation {
public static void main(String[] args) throws Exception {
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.4")
.withValue("CACACACA00000001")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT;
// ** Execute core code samples for Root CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCAArn = CreateCertificateAuthority(configCA, CAtype, client);
String csr = GetCertificateAuthorityCsr(rootCAArn, client);
String rootCertificateArn = IssueCertificate(rootCAArn, csr, client);
String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) {
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String rootCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Root CA Arn: " + rootCAArn);
return rootCAArn;
}
private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println(csr);
return csr;
}
@SneakyThrows
private static String generateAuthorityKeyIdentifier(final String csrPEM) {
PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM);
SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo();
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded();
return Base64.getEncoder().encodeToString(akiBytes);
}
@SneakyThrows
private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) {
ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes());
PemReader pemReader = new PemReader(new InputStreamReader(bais));
PEMParser parser = new PEMParser(pemReader);
Object o = parser.readObject();
if (o instanceof PKCS10CertificationRequest) {
return (PKCS10CertificationRequest) o;
}
return null;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(3650L);
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
// Generate Base64 encoded extension value for AuthorityKeyIdentifier
String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr);
// Generate custom extension
CustomExtension customExtension = new CustomExtension();
customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID
customExtension.setValue(base64EncodedExtValue);
// Add custom extension to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String rootCertificateArn = issueResult.getCertificateArn();
System.out.println("Root Certificate Arn: " + rootCertificateArn);
return rootCertificateArn;
}
private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(rootCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String rootCertificate = certificateResult.getCertificate();
System.out.println(rootCertificate);
return rootCertificate;
}
private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificate(certByteBuffer);
importRequest.setCertificateChain(null);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(rootCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Root CA certificate successfully imported.");
System.out.println("Root CA activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Attivazione di una CA subordinata per i certificati operativi dei nodi (NOC)
Questo esempio di Java mostra come utilizzare il [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1definizione](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) modello per emettere e installare un certificato [Matter](https://buildwithmatter.com) Subordinate CA da emettere. NOCs È necessario generare un KeyUsage valore con codifica Base64 e passarlo tramite un. CustomExtension
L'esempio richiama le seguenti azioni API: CA privata AWS
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
+ [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
Se si verificano problemi, [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) consulta la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import lombok.SneakyThrows;
public class IntermediateCAActivation {
public static void main(String[] args) throws Exception {
// Place your own Root CA ARN here.
String rootCAArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.3")
.withValue("CACACACA00000003")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE;
// ** Execute core code samples for Subordinate CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCertificate = GetCertificateAuthorityCertificate(rootCAArn, client);
String subordinateCAArn = CreateCertificateAuthority(configCA, CAtype, client);
String csr = GetCertificateAuthorityCsr(subordinateCAArn, client);
String subordinateCertificateArn = IssueCertificate(rootCAArn, csr, client);
String subordinateCertificate = GetCertificate(subordinateCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Get your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) {
// ** GetCertificateAuthorityCertificate **
// Create a request object and set the certificate authority ARN,
GetCertificateAuthorityCertificateRequest getCACertificateRequest =
new GetCertificateAuthorityCertificateRequest();
getCACertificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create a result object.
GetCertificateAuthorityCertificateResult getCACertificateResult = null;
try {
getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest);
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
}
// Get and display the certificate information.
String rootCertificate = getCACertificateResult.getCertificate();
System.out.println("Root CA Certificate / Certificate Chain:");
System.out.println(rootCertificate);
return rootCertificate;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) {
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String subordinateCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Subordinate CA Arn: " + subordinateCAArn);
return subordinateCAArn;
}
private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(subordinateCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch(AWSACMPCAException e) {
//Unexpected service exception.
}
// Get the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Get and display the CSR;
String csr = csrResult.getCsr();
System.out.println("Subordinate CSR:");
System.out.println(csr);
return csr;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the issuing CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(730L); // Approximately two years
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
ApiPassthrough apiPassthrough = new ApiPassthrough();
// Generate base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Set KeyUsage extension to api passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Get and display the certificate ARN.
String subordinateCertificateArn = issueResult.getCertificateArn();
System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn);
return subordinateCertificateArn;
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(subordinateCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Get the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String subordinateCertificate = certificateResult.getCertificate();
System.out.println("Subordinate CA Certificate:");
System.out.println(subordinateCertificate);
return subordinateCertificate;
}
private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate);
importRequest.setCertificate(certByteBuffer);
ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificateChain(rootCACertByteBuffer);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(subordinateCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Subordinate CA certificate successfully imported.");
System.out.println("Subordinate CA activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Creare un certificato operativo del nodo (NOC)
Questo esempio di Java mostra come utilizzare il modello [BlankEndEntityCertificate\$1 CriticalBasicConstraints \$1 APIPassthrough /V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) per creare un certificato operativo [Matter](https://buildwithmatter.com) Node. È necessario generare un valore con codifica Base64 e KeyUsage passarlo tramite un. CustomExtension
L'esempio richiama la seguente azione API: CA privata AWS
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
In caso di problemi, consulta [Risolvi gli errori dei certificati conformi a AWS Private CA MatterErrori dei certificati conformi a Matter](TroubleshootPcaMatter.md) la sezione Risoluzione dei problemi.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import lombok.SneakyThrows;
public class IssueNodeOperatingCertificate {
public static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
@SneakyThrows
private static String generateExtendedKeyUsageValue() {
KeyPurposeId[] keyPurposeIds = new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth };
ExtendedKeyUsage eku = new ExtendedKeyUsage(keyPurposeIds);
byte[] ekuBytes = eku.getEncoded();
return Base64.getEncoder().encodeToString(ekuBytes);
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded certificate\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(10L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.1")
.withValue("DEDEDEDE00010001"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.5")
.withValue("FAB000000000001D")
);
// Define a cert subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedEKUValue = generateExtendedKeyUsageValue();
CustomExtension customExtendedKeyUsageExtension = new CustomExtension();
customExtendedKeyUsageExtension.setObjectIdentifier("2.5.29.37"); // ExtendedKeyUsage Extension OID
customExtendedKeyUsageExtension.setValue(base64EncodedEKUValue);
customExtendedKeyUsageExtension.setCritical(true);
// Set KeyUsage and ExtendedKeyUsage extension to api-passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension, customExtendedKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}
```