本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 使用您的憑證授權機構憑證建立用戶端憑證
<a name="create-device-cert"></a>

您可以使用自己的憑證授權機構 (CA) 來建立用戶端憑證。用戶端憑證必須先向 註冊 AWS IoT ，才能使用。如需用戶端憑證之註冊選項的詳細資訊，請參閱 [註冊用戶端憑證](register-device-cert.md)。

## 建立用戶端憑證 (CLI)
<a name="create-device-cert-cli"></a>

**注意**  
您無法在 AWS IoT 主控台中執行此程序。

**使用 建立用戶端憑證 AWS CLI**

1. 產生金鑰對。

   ```
   openssl genrsa -out device_cert_key_filename.key 2048
   ```

1. 建立用戶端憑證的 CSR。

   ```
   openssl req -new \
       -key device_cert_key_filename.key \
       -out device_cert_csr_filename.csr
   ```

   將出現提示，要求您輸入一些資訊，如下所示：

   ```
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:
       State or Province Name (full name) []:
       Locality Name (for example, city) []:
       Organization Name (for example, company) []:
       Organizational Unit Name (for example, section) []:
       Common Name (e.g. server FQDN or YOUR name) []:
       Email Address []:
   
       Please enter the following 'extra' attributes
       to be sent with your certificate request
       A challenge password []:
       An optional company name []:
   ```

1. 從 CSR 建立用戶端憑證。

   ```
   openssl x509 -req \
       -in device_cert_csr_filename.csr \
       -CA root_CA_cert_filename.pem \
       -CAkey root_CA_key_filename.key \
       -CAcreateserial \
       -out device_cert_filename.pem \
       -days 500 -sha256
   ```

 此時，用戶端憑證已建立，但尚未註冊 AWS IoT。如需如何和何時註冊用戶端憑證的詳細資訊，請參閱 [註冊用戶端憑證](register-device-cert.md)。