• UpdateCertificateAuthority (p. 192)
Create and activate a root CA programmatically
This Java sample shows how to activate a root CA using the following ACM Private CA API actions:
• CreateCertificateAuthority
• GetCertificateAuthorityCsr
• IssueCertificate
• GetCertificate
• ImportCertificateAuthorityCertificate
package com.amazonaws.samples;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.client.builder.AwsClientBuilder.EndpointConfiguration;
import com.amazonaws.samples.GetCertificateAuthorityCertificate;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.services.acmpca.AWSACMPCA;
import com.amazonaws.services.acmpca.AWSACMPCAClientBuilder;
import com.amazonaws.services.acmpca.model.ASN1Subject;
import com.amazonaws.services.acmpca.model.CertificateAuthorityConfiguration;
import com.amazonaws.services.acmpca.model.CertificateAuthorityType;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityResult;
import com.amazonaws.services.acmpca.model.CreateCertificateAuthorityRequest;
import com.amazonaws.services.acmpca.model.CrlConfiguration;
import com.amazonaws.services.acmpca.model.KeyAlgorithm;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Tag;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Objects;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrRequest;
import com.amazonaws.services.acmpca.model.GetCertificateAuthorityCsrResult;
import com.amazonaws.services.acmpca.model.GetCertificateRequest;
import com.amazonaws.services.acmpca.model.GetCertificateResult;
import com.amazonaws.services.acmpca.model.ImportCertificateAuthorityCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateRequest;
import com.amazonaws.services.acmpca.model.IssueCertificateResult;
import com.amazonaws.services.acmpca.model.SigningAlgorithm;
import com.amazonaws.services.acmpca.model.Validity;
import com.amazonaws.AmazonClientException;
import com.amazonaws.services.acmpca.model.CertificateMismatchException;
import com.amazonaws.services.acmpca.model.ConcurrentModificationException;
import com.amazonaws.services.acmpca.model.LimitExceededException;
import com.amazonaws.services.acmpca.model.InvalidArgsException;
import com.amazonaws.services.acmpca.model.InvalidArnException;
import com.amazonaws.services.acmpca.model.InvalidPolicyException;
import com.amazonaws.services.acmpca.model.InvalidStateException;
import com.amazonaws.services.acmpca.model.MalformedCertificateException;
import com.amazonaws.services.acmpca.model.MalformedCSRException;
Create and activate a root CA programmatically
public static void main(String[] args) throws Exception { // Define the endpoint region for your sample.
String endpointRegion = "region"; // Substitute your region here, e.g. "us-west-2"
// Define a CA subject.
ASN1Subject subject = new ASN1Subject();
subject.setOrganization("Example Organization");
subject.setOrganizationalUnit("Example");
subject.setCountry("US");
subject.setState("Virginia");
subject.setLocality("Arlington");
subject.setCommonName("www.example.com");
// Define the CA configuration.
CertificateAuthorityConfiguration configCA = new CertificateAuthorityConfiguration();
configCA.withKeyAlgorithm(KeyAlgorithm.RSA_2048);
configCA.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
configCA.withSubject(subject);
// Define a certificate revocation list configuration.
CrlConfiguration crlConfigure = new CrlConfiguration();
crlConfigure.withEnabled(true);
crlConfigure.withExpirationInDays(365);
crlConfigure.withCustomCname(null);
crlConfigure.withS3BucketName("your-bucket-name");
// Define a certificate authority type
CertificateAuthorityType CAtype = CertificateAuthorityType.ROOT;
// ** Execute core code samples for Root CA activation in sequence **
AWSACMPCA client = ClientBuilder(endpointRegion);
String rootCAArn = CreateCertificateAuthority(configCA, crlConfigure, CAtype, client);
String csr = GetCertificateAuthorityCsr(rootCAArn, client);
String rootCertificateArn = IssueCertificate(rootCAArn, csr, client);
String rootCertificate = GetCertificate(rootCertificateArn, rootCAArn, client);
ImportCertificateAuthorityCertificate(rootCertificate, rootCAArn, client);
}
private static AWSACMPCA ClientBuilder(String endpointRegion) {
// Retrieve your credentials from the C:\Users\name\.aws\credentials file // in Windows or the .aws/credentials file in Linux.
AWSCredentials credentials = null;
try {
credentials = new ProfileCredentialsProvider("default").getCredentials();
} catch (Exception e) {
Create and activate a root CA programmatically
String endpointProtocol = "https://acm-pca." + endpointRegion + ".amazonaws.com/";
EndpointConfiguration endpoint =
new AwsClientBuilder.EndpointConfiguration(endpointProtocol, endpointRegion);
// Create a client that you can use to make requests.
AWSACMPCA client = AWSACMPCAClientBuilder.standard() .withEndpointConfiguration(endpoint)
.withCredentials(new AWSStaticCredentialsProvider(credentials)) .build();
return client;
}
private static String CreateCertificateAuthority(CertificateAuthorityConfiguration configCA, CrlConfiguration crlConfigure, CertificateAuthorityType CAtype, AWSACMPCA client) {
RevocationConfiguration revokeConfig = new RevocationConfiguration();
revokeConfig.setCrlConfiguration(crlConfigure);
// Create the request object.
CreateCertificateAuthorityRequest createCARequest = new CreateCertificateAuthorityRequest();
createCARequest.withCertificateAuthorityConfiguration(configCA);
createCARequest.withRevocationConfiguration(revokeConfig);
createCARequest.withIdempotencyToken("123987");
createCARequest.withCertificateAuthorityType(CAtype);
// Create the private CA.
CreateCertificateAuthorityResult createCAResult = null;
try {
createCAResult = client.createCertificateAuthority(createCARequest);
} catch (InvalidArgsException ex) {
String rootCAArn = createCAResult.getCertificateAuthorityArn();
System.out.println("Root CA Arn: " + rootCAArn);
return rootCAArn;
}
private static String GetCertificateAuthorityCsr(String rootCAArn, AWSACMPCA client) { // Create the CSR request object and set the CA ARN.
GetCertificateAuthorityCsrRequest csrRequest = new GetCertificateAuthorityCsrRequest();
csrRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the CSR file.
Waiter<GetCertificateAuthorityCsrRequest> getCSRWaiter = client.waiters().certificateAuthorityCSRCreated();
try {
getCSRWaiter.run(new WaiterParameters<>(csrRequest));
} catch (WaiterUnrecoverableException e) {
Create and activate a root CA programmatically }
// Retrieve the CSR.
GetCertificateAuthorityCsrResult csrResult = null;
try {
csrResult = client.getCertificateAuthorityCsr(csrRequest);
} catch (RequestInProgressException ex) {
private static String IssueCertificate(String rootCAArn, String csr, AWSACMPCA client) {
// Create a certificate request:
IssueCertificateRequest issueRequest = new IssueCertificateRequest();
// Set the CA ARN.
issueRequest.withCertificateAuthorityArn(rootCAArn);
// Set the template ARN.
issueRequest.withTemplateArn("arn:aws:acm-pca:::template/RootCACertificate/V1");
ByteBuffer csrByteBuffer = stringToByteBuffer(csr);
issueRequest.setCsr(csrByteBuffer);
// Set the signing algorithm.
issueRequest.withSigningAlgorithm(SigningAlgorithm.SHA256WITHRSA);
// Set the validity period for the certificate to be issued.
Validity validity = new Validity();
validity.withValue(3650L);
validity.withType("DAYS");
issueRequest.withValidity(validity);
// Set the idempotency token.
issueRequest.setIdempotencyToken("1234");
// Issue the certificate.
IssueCertificateResult issueResult = null;
try {
issueResult = client.issueCertificate(issueRequest);
} catch (LimitExceededException ex) {
Create and activate a root CA programmatically }
// Retrieve and display the certificate ARN.
String rootCertificateArn = issueResult.getCertificateArn();
System.out.println("Root Certificate Arn: " + rootCertificateArn);
return rootCertificateArn;
}
private static String GetCertificate(String rootCertificateArn, String rootCAArn, AWSACMPCA client) {
// Create a request object.
GetCertificateRequest certificateRequest = new GetCertificateRequest();
// Set the certificate ARN.
certificateRequest.withCertificateArn(rootCertificateArn);
// Set the certificate authority ARN.
certificateRequest.withCertificateAuthorityArn(rootCAArn);
// Create waiter to wait on successful creation of the certificate file.
Waiter<GetCertificateRequest> getCertificateWaiter = client.waiters().certificateIssued();
try {
getCertificateWaiter.run(new WaiterParameters<>(certificateRequest));
} catch (WaiterUnrecoverableException e) {
GetCertificateResult certificateResult = null;
try {
certificateResult = client.getCertificate(certificateRequest);
} catch (RequestInProgressException ex) {
String rootCertificate = certificateResult.getCertificate();
System.out.println(rootCertificate);
return rootCertificate;
}
private static void ImportCertificateAuthorityCertificate(String rootCertificate, String rootCAArn, AWSACMPCA client) {
// Create the request object and set the signed certificate, chain and CA ARN.
ImportCertificateAuthorityCertificateRequest importRequest = new ImportCertificateAuthorityCertificateRequest();
ByteBuffer certByteBuffer = stringToByteBuffer(rootCertificate);
Create and activate a subordinate CA programmatically importRequest.setCertificate(certByteBuffer);
importRequest.setCertificateChain(null);
// Set the certificate authority ARN.
importRequest.withCertificateAuthorityArn(rootCAArn);
// Import the certificate.
try {
client.importCertificateAuthorityCertificate(importRequest);
} catch (CertificateMismatchException ex) { throw ex;
} catch (MalformedCertificateException ex) { throw ex;
} catch (InvalidArnException ex) { throw ex;
} catch (ResourceNotFoundException ex) { throw ex;
} catch (RequestInProgressException ex) { throw ex;
} catch (ConcurrentModificationException ex) { throw ex;
} catch (RequestFailedException ex) { throw ex;
}
System.out.println("Root CA certificate successfully imported.");
System.out.println("Root CA activated successfully.");
}
private static ByteBuffer stringToByteBuffer(final String string) { if (Objects.isNull(string)) {
return null;
}
byte[] bytes = string.getBytes(StandardCharsets.UTF_8);
return ByteBuffer.wrap(bytes);
} }