# Use AWS Private CA to implement Matter certificates
You can use the AWS Private Certificate Authority API to create certificates that conform to the [Matter connectivity standard](https://github.com/project-chip/connectedhomeip). Matter specifies certificate configurations that improve the security and consistency of internet of things (IoT) devices across multiple engineering platforms. For more information about Matter, see [buildwithmatter.com](https://buildwithmatter.com).
Matter 1.2, released in October 2023, supports DAC revocation using Certificate Revocation Lists (CRLs). To help you conform to the current Matter standard, when you enable CRL revocation for CAs that issue Matter certificates, in the `CrlConfiguration` object, in the `CrlDistributionPointExtensionConfiguration` structure, set `OmitExtension` to `true`.
Typically, CAs embed the CRL Distribution Point (CDP) in the certificates they issue so that the relying parties performing certificate chain validation can fetch the CRL and check the certificate status. In Matter, the CDP URI is not written to certificates. Instead, users fetch CDPs from the Matter Distributed Compliance Ledger (DCL), the trusted Matter data store. You must upload the CDP URI to the Matter DCL so that it can be discovered when validating DACs. For more information about determining the CDP URI, see [Determining the CRL Distribution Point (CDP) URI](crl-planning.md#crl-url). For more information about Matter, see the [Matter standard home page](https://csa-iot.org/all-solutions/matter/).
**Topics**
+ [Activate a Product Attestation Authority (PAA)](JavaApiCBC-ProductAttestationAuthorityActivation.md)
+ [Activate an Product Attestation Intermediate (PAI)](JavaApiCBC-ProductAttestationIntermediateActivation.md)
+ [Create a Device Attestation Certificate (DAC)](JavaApiCBC-DeviceAttestationCertificate.md)
+ [Activate a Root CA for Node Operational Certificates (NOC).](JavaApiCBC-ActivateRootCA.md)
+ [Activate a Subordinate CA for Node Operational Certificates (NOC)](JavaApiCBC-IntermediateCAActivation.md)
+ [Create a Node Operational Certificate (NOC)](JavaApiCBC-NodeOperatingCertificate.md)
# Activate a Product Attestation Authority (PAA)
This Java sample shows how to use the [RootCACertificate\$1APIPassthrough/V1 definition](template-definitions.md#RootCACertificate_APIPassthrough) template to create and install a [Matter](https://buildwithmatter.com) Root CA (PAA) certificate for product attestation. The AuthorityKeyIdentifier (AKI) extension is optional for PAAs. To set an AKI, you must generate a Base64-encoded AKI value and pass it through a CustomExtension.
The example calls the following AWS Private CA API actions:
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
If you encounter problems, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.samples.GetCertificateAuthorityCertificate;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemReader;
import lombok.SneakyThrows;
public class ProductAttestationAuthorityActivation {
public static void main(String[] args) throws Exception {
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("Matter Test PAA"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID
.withValue("FFF1")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a CRL distribution point extension configuration
CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration();
CDPConfigure.withOmitExtension(true);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL");
crlConfigure.withCrlDistributionPointExtensionConfiguration(CDPConfigure);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT;
// ** Execute core code samples for Root CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client);
String csr = GetCertificateAuthorityCsr(rootCAArn, client);
String rootCertificateArn = IssueCertificate(rootCAArn, csr, client);
String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) {
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
createCARequest.withRevocationConfiguration(revokeConfig);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String rootCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Product Attestation Authority (PAA) Arn: " + rootCAArn);
return rootCAArn;
}
private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println(csr);
return csr;
}
@SneakyThrows
private static String generateAuthorityKeyIdentifier(final String csrPEM) {
PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM);
SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo();
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded();
return Base64.getEncoder().encodeToString(akiBytes);
}
@SneakyThrows
private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) {
ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes());
PemReader pemReader = new PemReader(new InputStreamReader(bais));
PEMParser parser = new PEMParser(pemReader);
Object o = parser.readObject();
if (o instanceof PKCS10CertificationRequest) {
return (PKCS10CertificationRequest) o;
}
return null;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(3650L);
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
// Generate Base64 encoded extension value for AuthorityKeyIdentifier
String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr);
// Generate custom extension
CustomExtension customExtension = new CustomExtension();
customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID
customExtension.setValue(base64EncodedExtValue);
// Add custom extension to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String rootCertificateArn = issueResult.getCertificateArn();
System.out.println("Product Attestation Authority (PAA) Certificate Arn: " + rootCertificateArn);
return rootCertificateArn;
}
private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(rootCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String rootCertificate = certificateResult.getCertificate();
System.out.println(rootCertificate);
return rootCertificate;
}
private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificate(certByteBuffer);
importRequest.setCertificateChain(null);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(rootCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Product Attestation Authority (PAA) certificate successfully imported.");
System.out.println("Product Attestation Authority (PAA) activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Activate an Product Attestation Intermediate (PAI)
This Java sample shows how to use the [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1 definition](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) template to create and install a [Matter](https://buildwithmatter.com) Subordinate CA (PAI) certificate for product attestation. You must generate a Base64-encoded KeyUsage value and pass it through a CustomExtension.
The example calls the following AWS Private CA API actions:
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
+ [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
If you encounter problems, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CrlDistributionPointExtensionConfiguration;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import lombok.SneakyThrows;
public class ProductAttestationIntermediateActivation {
public static void main(String[] args) throws Exception {
// Place your own Root CA ARN here.
String paaArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3") // CommonName
.withValue("Matter Test PAI"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1") // Vendor ID
.withValue("FFF1"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.2") // Product ID
.withValue("8000")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a CRL distribution point extension configuration
CrlDistributionPointExtensionConfiguration CDPConfigure = new CrlDistributionPointExtensionConfiguration();
CDPConfigure.withOmitExtension(true);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
crlConfigure.withS3ObjectAcl("BUCKET_OWNER_FULL_CONTROL");
crlConfigure.withCrlDistributionPointConfiguration(CDPConfigure);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE;
// ** Execute core code samples for Subordinate CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCertificate = GetCertificateAuthorityCertificate(paaArn, client);
String subordinateCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client);
String csr = GetCertificateAuthorityCsr(subordinateCAArn, client);
String subordinateCertificateArn = IssueCertificate(paaArn, csr, client);
String subordinateCertificate = GetCertificate(subordinateCertificateArn, paaArn, client);
ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) {
// ** GetCertificateAuthorityCertificate **
// Create a request object and set the certificate authority ARN,
GetCertificateAuthorityCertificateRequest getCACertificateRequest =
new GetCertificateAuthorityCertificateRequest();
getCACertificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create a result object.
GetCertificateAuthorityCertificateResult getCACertificateResult = null;
try {
getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest);
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
}
// Retrieve and display the certificate information.
String rootCertificate = getCACertificateResult.getCertificate();
System.out.println("Product Attestation Authority (PAA) Certificate / Certificate Chain:");
System.out.println(rootCertificate);
return rootCertificate;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) {
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
createCARequest.withRevocationConfiguration(revokeConfig);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String subordinateCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Product Attestation Intermediate (PAI) Arn: " + subordinateCAArn);
return subordinateCAArn;
}
private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(subordinateCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch(AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println("Subordinate CSR:");
System.out.println(csr);
return csr;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the issuing CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(730L); // Approximately two years
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
ApiPassthrough apiPassthrough = new ApiPassthrough();
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Set KeyUsage extension to api passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String subordinateCertificateArn = issueResult.getCertificateArn();
System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn);
return subordinateCertificateArn;
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(subordinateCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String subordinateCertificate = certificateResult.getCertificate();
System.out.println("Subordinate CA Certificate:");
System.out.println(subordinateCertificate);
return subordinateCertificate;
}
private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate);
importRequest.setCertificate(certByteBuffer);
ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificateChain(rootCACertByteBuffer);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(subordinateCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Product Attestation Intermediate (PAI) certificate successfully imported.");
System.out.println("Product Attestation Intermediate (PAI) activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Create a Device Attestation Certificate (DAC)
This Java sample shows how to use the [BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APIPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) template to create a [Matter](https://buildwithmatter.com) Device Attestation Certificate. You must generate a Base64-encoded KeyUsage value and pass it through a CustomExtension.
The example calls the following AWS Private CA API action:
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
If you encounter problems, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import lombok.SneakyThrows;
public class IssueDeviceAttestationCertificate {
public static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded certificate\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(10L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("2.5.4.3")
.withValue("Matter Test DAC 0001"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.1")
.withValue("FFF1"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.2.2")
.withValue("8000")
);
// Define a cert subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15"); // KeyUsage Extension OID
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}
```
# Activate a Root CA for Node Operational Certificates (NOC).
This Java sample shows how to use the [RootCACertificate\$1APIPassthrough/V1 definition](template-definitions.md#RootCACertificate_APIPassthrough) template to create and install a [Matter](https://buildwithmatter.com) Root CA certificate to issue NOCs. The AuthorityKeyIdentifier (AKI) extension is optional for NOC Root CA certificates. To set an AKI, you must generate a Base64-encoded AKI value and pass it through a CustomExtension.
The example calls the following AWS Private CA API actions:
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
If you encounter problems, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.samples.GetCertificateAuthorityCertificate;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.io.ByteArrayInputStream;
import java.io.InputStreamReader;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.RevocationConfiguration;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemReader;
import lombok.SneakyThrows;
public class RootCAActivation {
public static void main(String[] args) throws Exception {
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.4")
.withValue("CACACACA00000001")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT;
// ** Execute core code samples for Root CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCAArn = CreateCertificateAuthority(configCA, CAtype, client);
String csr = GetCertificateAuthorityCsr(rootCAArn, client);
String rootCertificateArn = IssueCertificate(rootCAArn, csr, client);
String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) {
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String rootCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Root CA Arn: " + rootCAArn);
return rootCAArn;
}
private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Retrieve and display the CSR;
String csr = csrResult.getCsr();
System.out.println(csr);
return csr;
}
@SneakyThrows
private static String generateAuthorityKeyIdentifier(final String csrPEM) {
PKCS10CertificationRequest csr = getPKCS10CertificationRequest(csrPEM);
SubjectPublicKeyInfo spki = csr.getSubjectPublicKeyInfo();
JcaX509ExtensionUtils extensionUtils = new JcaX509ExtensionUtils();
byte[] akiBytes = extensionUtils.createAuthorityKeyIdentifier(spki).getEncoded();
return Base64.getEncoder().encodeToString(akiBytes);
}
@SneakyThrows
private static PKCS10CertificationRequest getPKCS10CertificationRequest(final String csrPEM) {
ByteArrayInputStream bais = new ByteArrayInputStream(csrPEM.getBytes());
PemReader pemReader = new PemReader(new InputStreamReader(bais));
PEMParser parser = new PEMParser(pemReader);
Object o = parser.readObject();
if (o instanceof PKCS10CertificationRequest) {
return (PKCS10CertificationRequest) o;
}
return null;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(3650L);
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
// Generate Base64 encoded extension value for AuthorityKeyIdentifier
String base64EncodedExtValue = generateAuthorityKeyIdentifier(csr);
// Generate custom extension
CustomExtension customExtension = new CustomExtension();
customExtension.setObjectIdentifier("2.5.29.35"); // AuthorityKeyIdentifier Extension OID
customExtension.setValue(base64EncodedExtValue);
// Add custom extension to api-passthrough
ApiPassthrough apiPassthrough = new ApiPassthrough();
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String rootCertificateArn = issueResult.getCertificateArn();
System.out.println("Root Certificate Arn: " + rootCertificateArn);
return rootCertificateArn;
}
private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(rootCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Retrieve the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String rootCertificate = certificateResult.getCertificate();
System.out.println(rootCertificate);
return rootCertificate;
}
private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificate(certByteBuffer);
importRequest.setCertificateChain(null);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(rootCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Root CA certificate successfully imported.");
System.out.println("Root CA activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Activate a Subordinate CA for Node Operational Certificates (NOC)
This Java sample shows how to use the [BlankSubordinateCACertificate\$1PathLen0\$1APIPassthrough/V1 definition](template-definitions.md#BlankSubordinateCACertificate_PathLen0_APIPassthrough) template to issue and install a [Matter](https://buildwithmatter.com) Subordinate CA certificate to issue NOCs. You must generate a Base64-encoded KeyUsage value and pass it through a CustomExtension.
The example calls the following AWS Private CA API actions:
+ [CreateCertificateAuthority](https://docs.aws.amazon.com/privateca/latest/APIReference/API_CreateCertificateAuthority.html)
+ [GetCertificateAuthorityCsr](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCsr.html)
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
+ [GetCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificate.html)
+ [ImportCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_ImportCertificateAuthorityCertificate.html)
+ [GetCertificateAuthorityCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_GetCertificateAuthorityCertificate.html)
If problems occur, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCertificateResult;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import com.amazonaws.services.acmpca.model.RequestFailedException;
import com.amazonaws.services.acmpca.model.RequestInProgressException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.AWSACMPCAException;
import com.amazonaws.waiters.Waiter;
import com.amazonaws.waiters.WaiterParameters;
import com.amazonaws.waiters.WaiterTimedOutException;
import com.amazonaws.waiters.WaiterUnrecoverableException;
import lombok.SneakyThrows;
public class IntermediateCAActivation {
public static void main(String[] args) throws Exception {
// Place your own Root CA ARN here.
String rootCAArn = "arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012";
// Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.3")
.withValue("CACACACA00000003")
);
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.EC_prime256v1);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
configCA.withSubject(subject);
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.SUBORDINATE;
// ** Execute core code samples for Subordinate CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCertificate = GetCertificateAuthorityCertificate(rootCAArn, client);
String subordinateCAArn = CreateCertificateAuthority(configCA, CAtype, client);
String csr = GetCertificateAuthorityCsr(subordinateCAArn, client);
String subordinateCertificateArn = IssueCertificate(rootCAArn, csr, client);
String subordinateCertificate = GetCertificate(subordinateCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(subordinateCertificate, rootCertificate, subordinateCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Get your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException(
"Cannot load the credentials from the credential profiles file. " +
"Please make sure that your credentials file is at the correct " +
"location (C:\\Users\\joneps\\.aws\\credentials), and is in valid format.",
e);
}
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
return client;
}
private static String GetCertificateAuthorityCertificate(String rootCAArn, AWSACMPCA client) {
// ** GetCertificateAuthorityCertificate **
// Create a request object and set the certificate authority ARN,
GetCertificateAuthorityCertificateRequest getCACertificateRequest =
new GetCertificateAuthorityCertificateRequest();
getCACertificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create a result object.
GetCertificateAuthorityCertificateResult getCACertificateResult = null;
try {
getCACertificateResult = client.getCertificateAuthorityCertificate(getCACertificateRequest);
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
}
// Get and display the certificate information.
String rootCertificate = getCACertificateResult.getCertificate();
System.out.println("Root CA Certificate / Certificate Chain:");
System.out.println(rootCertificate);
return rootCertificate;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CertificateAuthorityType CAtype, AWSACMPCA client) {
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
throw ex;
} catch (InvalidPolicyException ex) {
throw ex;
} catch (LimitExceededException ex) {
throw ex;
}
// Retrieve the ARN of the private CA.
String subordinateCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Subordinate CA Arn: " + subordinateCAArn);
return subordinateCAArn;
}
private static String GetCertificateAuthorityCsr(String subordinateCAArn, AWSACMPCA client) {
// Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(subordinateCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch(AWSACMPCAException e) {
//Unexpected service exception.
}
// Get the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
// Get and display the CSR;
String csr = csrResult.getCsr();
System.out.println("Subordinate CSR:");
System.out.println(csr);
return csr;
}
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the issuing CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_APIPassthrough/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(730L); // Approximately two years
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
ApiPassthrough apiPassthrough = new ApiPassthrough();
// Generate base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Set KeyUsage extension to api passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
issueRequest.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Get and display the certificate ARN.
String subordinateCertificateArn = issueResult.getCertificateArn();
System.out.println("Subordinate Certificate Arn: " + subordinateCertificateArn);
return subordinateCertificateArn;
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.keyCertSign | X509KeyUsage.cRLSign);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
private static String GetCertificate(String subordinateCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(subordinateCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
//Explicit short circuit when the recourse transitions into
//an undesired state.
} catch (WaiterTimedOutException e) {
//Failed to transition into desired state even after polling.
} catch (AWSACMPCAException e) {
//Unexpected service exception.
}
// Get the certificate and certificate chain.
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
}
// Get the certificate and certificate chain and display the result.
String subordinateCertificate = certificateResult.getCertificate();
System.out.println("Subordinate CA Certificate:");
System.out.println(subordinateCertificate);
return subordinateCertificate;
}
private static void ImportCertificateAuthorityCertificate(String subordinateCertificate, String rootCertificate, String subordinateCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest =
new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(subordinateCertificate);
importRequest.setCertificate(certByteBuffer);
ByteBuffer rootCACertByteBuffer = stringToByteBuffer(rootCertificate);
importRequest.setCertificateChain(rootCACertByteBuffer);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(subordinateCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) {
throw ex;
} catch (MalformedCertificateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (RequestInProgressException ex) {
throw ex;
} catch (ConcurrentModificationException ex) {
throw ex;
} catch (RequestFailedException ex) {
throw ex;
}
System.out.println("Subordinate CA certificate successfully imported.");
System.out.println("Subordinate CA activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
}
```
# Create a Node Operational Certificate (NOC)
This Java sample shows how to use the [BlankEndEntityCertificate\$1CriticalBasicConstraints\$1APIPassthrough/V1](template-definitions.md#BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough) template to create a [Matter](https://buildwithmatter.com) Node Operational Certificate. You must generate a Base64-encoded KeyUsage value and pass it through a CustomExtension.
The example calls the following AWS Private CA API action:
+ [IssueCertificate](https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html)
If you encounter problems, see [Troubleshoot AWS Private CA Matter-compliant certificate errorsMatter-compliant certificate errors](TroubleshootPcaMatter.md) in the Troubleshooting section.
```
package com.amazonaws.samples.matter;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.ApiPassthrough;
import com.amazonaws.services.acmpca.model.CustomAttribute;
import com.amazonaws.services.acmpca.model.CustomExtension;
import com.amazonaws.services.acmpca.model.Extensions;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.ResourceNotFoundException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
import org.bouncycastle.asn1.x509.KeyPurposeId;
import org.bouncycastle.asn1.x509.KeyUsage;
import org.bouncycastle.jce.X509KeyUsage;
import lombok.SneakyThrows;
public class IssueNodeOperatingCertificate {
public static ByteBuffer stringToByteBuffer(final String string) {
if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
}
@SneakyThrows
private static String generateExtendedKeyUsageValue() {
KeyPurposeId[] keyPurposeIds = new KeyPurposeId[] { KeyPurposeId.id_kp_clientAuth, KeyPurposeId.id_kp_serverAuth };
ExtendedKeyUsage eku = new ExtendedKeyUsage(keyPurposeIds);
byte[] ekuBytes = eku.getEncoded();
return Base64.getEncoder().encodeToString(ekuBytes);
}
@SneakyThrows
private static String generateKeyUsageValue() {
KeyUsage keyUsage = new KeyUsage(X509KeyUsage.digitalSignature);
byte[] kuBytes = keyUsage.getEncoded();
return Base64.getEncoder().encodeToString(kuBytes);
}
public static void main(String[] args) throws Exception {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file
// in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
throw new AmazonClientException("Cannot load your credentials from disk", e);
}
// Define the endpoint for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "ap-southeast-2"
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard()
.withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials))
.build();
// Create a certificate request:
IssueCertificateRequest req = new IssueCertificateRequest();
// Set the CA ARN.
req.withCertificateAuthorityArn("arn:aws:acm-pca:region:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012");
// Specify the certificate signing request (CSR) for the certificate to be signed and issued.
String strCSR =
"-----BEGIN CERTIFICATE REQUEST-----\n" +
"base64-encoded certificate\n" +
"-----END CERTIFICATE REQUEST-----\n";
ByteBuffer csrByteBuffer = stringToByteBuffer(strCSR);
req.setCsr(csrByteBuffer);
// Specify the template for the issued certificate.
req.withTemplateArn("arn:aws:acm-pca:::template/BlankEndEntityCertificate_CriticalBasicConstraints_APIPassthrough/V1");
// Set the signing algorithm.
req.withSigningAlgorithm(SigningAlgorithm.SHA256WITHECDSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(10L);
validity.withType("DAYS");
req.withValidity(validity);
// Set the idempotency token.
req.setIdempotencyToken("1234");
// Define custom attributes
List customAttributes = Arrays.asList(
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.1")
.withValue("DEDEDEDE00010001"),
new CustomAttribute()
.withObjectIdentifier("1.3.6.1.4.1.37244.1.5")
.withValue("FAB000000000001D")
);
// Define a cert subject.
ASN1Subject subject = new ASN1Subject();
subject.setCustomAttributes(customAttributes);
ApiPassthrough apiPassthrough = new ApiPassthrough();
apiPassthrough.setSubject(subject);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedKUValue = generateKeyUsageValue();
// Generate custom extension
CustomExtension customKeyUsageExtension = new CustomExtension();
customKeyUsageExtension.setObjectIdentifier("2.5.29.15");
customKeyUsageExtension.setValue(base64EncodedKUValue);
customKeyUsageExtension.setCritical(true);
// Generate Base64 encoded extension value for ExtendedKeyUsage
String base64EncodedEKUValue = generateExtendedKeyUsageValue();
CustomExtension customExtendedKeyUsageExtension = new CustomExtension();
customExtendedKeyUsageExtension.setObjectIdentifier("2.5.29.37"); // ExtendedKeyUsage Extension OID
customExtendedKeyUsageExtension.setValue(base64EncodedEKUValue);
customExtendedKeyUsageExtension.setCritical(true);
// Set KeyUsage and ExtendedKeyUsage extension to api-passthrough
Extensions extensions = new Extensions();
extensions.setCustomExtensions(Arrays.asList(customKeyUsageExtension, customExtendedKeyUsageExtension));
apiPassthrough.setExtensions(extensions);
req.setApiPassthrough(apiPassthrough);
// Issue the certificate.
IssueCertificateResult result = null;
try {
result = client.issueCertificate(req);
} catch (LimitExceededException ex) {
throw ex;
} catch (ResourceNotFoundException ex) {
throw ex;
} catch (InvalidStateException ex) {
throw ex;
} catch (InvalidArnException ex) {
throw ex;
} catch (InvalidArgsException ex) {
throw ex;
} catch (MalformedCSRException ex) {
throw ex;
}
// Retrieve and display the certificate ARN.
String arn = result.getCertificateArn();
System.out.println(arn);
}
}
```