根据此docs,我需要为我的IoT设备生成所谓的引导证书。我假设要生成引导证书,将通过AWS开发工具包下载CA证书,并将其用于生成引导证书。
我找不到多少类似的例子来说明如何使用Java AWS开发工具包做到这一点。谁能给出我如何做到的代码示例?提前致谢。
我找到了解决方案。 AWS引导证书是由在AWS IoT中注册的CA证书签名的证书。请参见工作流程here。为了用Java实现此目的,我使用了Bouncy Castle库。首先,下载CA证书和CA证书私钥。并为您的引导证书生成KeyPair:
KeyPairGenerator keypairGen = KeyPairGenerator.getInstance(SECURITY_ALGORITHM);
keypairGen.initialize(ALGORITHM_KEY_SIZE, random);
KeyPair keypair = keypairGen.generateKeyPair();
PublicKey publicKey = keypair.getPublic();
使用Bouncy Castle库将CA证书和CA私钥转换为X509Certificate和PrivateKey对象(请参见book中的示例)。生成证书:
public X509Certificate makeV3Certificate(
X509Certificate caCertificate,
PrivateKey caPrivateKey,
PublicKey publicKey)
throws GeneralSecurityException, CertIOException, OperatorCreationException {
X509v3CertificateBuilder v3CertBuilder = new JcaX509v3CertificateBuilder(
caCertificate.getSubjectX500Principal(), // issuer
BigInteger.valueOf(System.currentTimeMillis()) // serial number
.multiply(BigInteger.valueOf(10)),
new Date(System.currentTimeMillis() - 1000 * 5), // start time
new Date(System.currentTimeMillis() + 1000 * 3600 * 3), // expiry time
new X500Principal(String.format("CN=%s", "desirable Common Name")), // subject
publicKey); // subject public key
JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
v3CertBuilder.addExtension(
Extension.subjectKeyIdentifier,
false,
extUtils.createSubjectKeyIdentifier(publicKey));
v3CertBuilder.addExtension(
Extension.authorityKeyIdentifier,
false,
extUtils.createAuthorityKeyIdentifier(caCertificate));
v3CertBuilder.addExtension(
Extension.basicConstraints,
true,
new BasicConstraints(false));
JcaContentSignerBuilder signerBuilder = new JcaContentSignerBuilder("SHA256withRSA");
return new JcaX509CertificateConverter().getCertificate(v3CertBuilder.build(signerBuilder.build(caPrivateKey)));
}
使用Bouncy Castle库将证书转换为pem格式,将CA证书附加到pem文件中。另外,将引导证书私钥(从密钥对获取)转换为pem格式。就这些。您可以通过mqtt使用此CA签名证书和AWS IoT的私钥将设备连接。