|
|
@@ -45,6 +45,14 @@ yubico-piv-tool --action=generate -s 9a -o tmp.pub
|
|
|
```
|
|
|
yubico-piv-tool --action=verify --action=request --subject="/CN=brad.poulton@accenturefederal.com/C=US/ST=VA/L=Arlington/OU=XDR/O=Accenture Federal Services/" --algorithm=RSA2048 --hash=SHA256 -s 9a -i tmp.pub -o tmp.csr
|
|
|
```
|
|
|
+
|
|
|
+1. Reencode the CSR
|
|
|
+
|
|
|
+To reencode as base64:
|
|
|
+```
|
|
|
+openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64
|
|
|
+```
|
|
|
+
|
|
|
1. Sign the CSR
|
|
|
|
|
|
* For Template information, seehttps://docs.aws.amazon.com/acm-pca/latest/userguide/UsingTemplates.html (remember to change arn to aws-us-gov)
|
|
|
@@ -79,7 +87,7 @@ Maybe:
|
|
|
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca issue-certificate \
|
|
|
--api-passthrough file://./tmp.policy \
|
|
|
--certificate-authority-arn arn:aws-us-gov:acm-pca:us-gov-east-1:701290387780:certificate-authority/cb0ea325-a347-4297-9cb8-2134410c3889 \
|
|
|
- --csr file://./tmp.csr \
|
|
|
+ --csr file://./tmp.csr.b64 \
|
|
|
--signing-algorithm SHA512WITHECDSA \
|
|
|
--template-arn arn:aws-us-gov:acm-pca:::template/EndEntityClientAuthCertificate_APIPassthrough/V1 \
|
|
|
--validity Value=820,Type=DAYS
|
|
|
@@ -92,12 +100,6 @@ output should be something like:
|
|
|
}
|
|
|
```
|
|
|
|
|
|
-MAY NEED TO BASE64 ENCODE THE CSR. Duane's machine required it, but Fred's did not.
|
|
|
-To reencode as base64:
|
|
|
-```
|
|
|
-openssl req -in tmp.csr -outform pem | base64 > tmp.csr.b64
|
|
|
-```
|
|
|
-
|
|
|
1. Get the certificate that was issued. Be sure to update the certificate-arn to what you got.
|
|
|
```
|
|
|
aws --profile mdr-common-services-gov --region us-gov-east-1 acm-pca get-certificate \
|
Fred Damstra [afs macbook]