使用您的 CA 证书创建客户端证书 - AWS IoT Core
创建客户端证书 (CLI)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

使用您的 CA 证书创建客户端证书

您可以使用自己的证书颁发机构 (CA) 创建客户端证书。必须先注册客户证书, AWS IoT 然后才能使用。有关客户端证书的注册选项的信息,请参阅注册客户端证书

创建客户端证书 (CLI)

注意

您无法在 AWS IoT 控制台中执行此过程。

要使用创建客户证书 AWS CLI

  1. 生成密钥对。

    openssl genrsa -out device_cert_key_filename.key 2048

  2. 为客户端证书创建 CSR。

    openssl req -new \
    -key device_cert_key_filename.key \
    -out device_cert_csr_filename.csr

    系统将提示您输入一些信息,如下所示:

    You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
    State or Province Name (full name) []:
    Locality Name (for example, city) []:
    Organization Name (for example, company) []:
    Organizational Unit Name (for example, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

  3. 从 CSR 创建客户端证书。

    openssl x509 -req \
    -in device_cert_csr_filename.csr \
    -CA root_CA_cert_filename.pem \
    -CAkey root_CA_key_filename.key \
    -CAcreateserial \
    -out device_cert_filename.pem \
    -days 500 -sha256

此时,客户证书已创建,但尚未在中注册 AWS IoT。有关注册客户端证书的方式和时机的信息,请参阅注册客户端证书