问题描述
我正在尝试在AWS ACMPCA中使用非自签名证书。问题在于,通过遵循AWS ACMPCA documentation,会创建一个自签名证书。然后,当我继续进行操作时,创建一个从属CA,颁发证书,并在内部ALB上使用它,当我使用curl
进行测试时,出现自签名证书错误。显然,证书没有经过独立验证,因此很有意义。但是唯一的解决方法是传递--insecure
,但这将导致我的应用程序的代码更改。
因此,似乎我需要将签名证书导入ACMPCA,或者可能需要提出签名证书请求?我不太确定。我对这种架构不是很熟悉,这是我第一次。
我的问题是:我应该怎么做才能在AWS ACMPCA中发布私有的,非自签名的ssl证书,以便我的内部应用程序可以使用https而不禁用验证?
我使用以下模板在Cloudformation中创建了所有这些文件:
RootCertificateAuthority:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
KeyAlgorithm: RSA_4096
Signingalgorithm: SHA512WITHRSA
Subject:
Organization: MyOrg
Type: ROOT
RootCertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCertificateAuthority
CertificateSigningRequest: !GetAtt RootCertificateAuthority.CertificateSigningRequest
TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1
Signingalgorithm: SHA512WITHRSA
Validity:
Type: YEARS
Value: 100
RootCertificateActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref RootCertificateAuthority
Certificate: !GetAtt RootCertificate.Certificate
Status: ACTIVE
SubordinateCertificateAuthority:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
KeyAlgorithm: RSA_4096
Signingalgorithm: SHA512WITHRSA
Subject:
Organization: MyOrg
Type: SUBORDINATE
SubordinateCertificate:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootCertificateAuthority
CertificateSigningRequest: !GetAtt SubordinateCertificateAuthority.CertificateSigningRequest
TemplateArn: 'arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen3/V1'
Signingalgorithm: SHA512WITHRSA
Validity:
Type: YEARS
Value: 99
SubordinateCertificateActivation:
Type: AWS::ACMPCA::CertificateAuthorityActivation
Properties:
CertificateAuthorityArn: !Ref SubordinateCertificateAuthority
Certificate: !GetAtt SubordinateCertificate.Certificate
CertificateChain: !GetAtt RootCertificateActivation.CompleteCertificateChain
Status: ACTIVE
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)