创建证书

IAM Role Anywhere需要和CA集成,目前有两种方式,一种是通过AWS Private Certificate Authority服务,另一种是通过外部的CA。本节先介绍通过AWS PCA这种方式。

创建PCA

进入PCA服务,点击Create a private CA(注意一个PCA每月会收400$):

image-20231001145237739

在Common Name部分,输入iamra.test, 其他保持默认:

image-20231001145347097

最后钩选Pricing的框,点击创建:

image-20231001145600563

安装根证书

在Action部分,选择Install CA certificate,以安装PCA根证书:

image-20231001145632820

点击确认并安装:

image-20231001145646585

创建ACM PCA证书

进入ACM服务,点击Request a certificate

image-20231001145734582

选择Request a private certificate:

image-20231001145746918

Certificate authority部分,选择上一步的CA;在Domain names部分,输入workload-a.iamra.test:

image-20231001145842313

最后钩选上I understand xxx,并点击Request

image-20231001145901901

重复上面的步骤,申请一个workload-b.iamra.test的证书:

image-20231001145954585

完成后效果如下:

image-20231001160024158

取回证书以及私钥

在控制台上,执行以下命令取回workload-a.iamra.test的证书以及私钥:

passphrase=$(uuidgen)
value="workload-a.iamra.test"

arn=$(aws acm list-certificates --region us-east-1 | jq --arg cn $value '.CertificateSummaryList[] | if .DomainName == $cn then .CertificateArn else empty end | select( . != null)' | sed -r 's/"//g')

# arn:aws:acm:us-east-1:145197526627:certificate/a73100dd-b7b1-425e-aa92-0f55e47618cf
echo $arn 

aws acm export-certificate  --region us-east-1 \
     --certificate-arn $arn \
     --passphrase $passphrase \
     --cli-binary-format raw-in-base64-out \
     | jq -r '"\(.Certificate)"'\
     > ${value}_cert.pem
     
aws acm export-certificate  --region us-east-1 \
     --certificate-arn $arn \
     --passphrase $passphrase  \
     --cli-binary-format raw-in-base64-out \
     | jq -r '"\(.PrivateKey)"'\
     > ${value}_private.pem
     
openssl rsa -passin pass:${passphrase} -in ${value}_private.pem -out ${value}_private_u.pem

同时取回workload-a.iamra.test的证书以及私钥:

passphrase=$(uuidgen)
value="workload-b.iamra.test"

arn=$(aws acm list-certificates --region us-east-1 | jq --arg cn $value '.CertificateSummaryList[] | if .DomainName == $cn then .CertificateArn else empty end | select( . != null)' | sed -r 's/"//g')

echo $arn

aws acm export-certificate  --region us-east-1 \
     --certificate-arn $arn \
     --passphrase $passphrase \
     --cli-binary-format raw-in-base64-out \
     | jq -r '"\(.Certificate)"'\
     > ${value}_cert.pem
     
aws acm export-certificate  --region us-east-1 \
     --certificate-arn $arn \
     --passphrase $passphrase  \
     --cli-binary-format raw-in-base64-out \
     | jq -r '"\(.PrivateKey)"'\
     > ${value}_private.pem
     
openssl rsa -passin pass:${passphrase} -in ${value}_private.pem -out ${value}_private_u.pem

最终效果:

image-20231001151417749

image-20231001160503527