简体繁体 English

使用AWS作为证书存储

[英]Using AWS as certificate store

原文 2017-09-15 09:50:32 4 1 java/ amazon-web-services/ certificate

I have an application that generates PDF documents and sign them. 我有一个生成PDF文档并对其签名的应用程序。 The signature requires a certificate. 签名需要证书。

I would like to avoid certificate management headache (securing storage, access, etc). 我想避免证书管理的麻烦（确保存储，访问等）。 Therefore, I wonder if it possible to use AWS ACM for that? 因此，我想知道是否可以为此使用AWS ACM？ For example, loading the certificate from ACM at application startup. 例如，在应用程序启动时从ACM加载证书。

In AWS ACM documentation, I see there is a Java SDK that allows me to get a certificate remotely. 在AWS ACM文档中，我看到有一个Java SDK可让我远程获取证书。 However, I'm not sure if it also includes the private key which I need to sign the PDF documents. 但是，我不确定它是否还包含我需要签署PDF文档的私钥。

1 个解决方案

ACM does not allow you to access the private key of your certificates. ACM不允许您访问证书的私钥。 Only ELB, ALB, and CloudFront have access to the private keys. 只有ELB，ALB和CloudFront可以访问私钥。 So it's not a fit, here. 所以这不适合。

EC2 Systems Manager Parameter Store should provide exactly what you need, though. 不过，EC2 Systems Manager参数存储应提供您所需要的。

It is a hierarchical key/value encrypted store where each "parameter" (value) is (optionally) encrypted at rest. 它是一个分层的键/值加密存储，其中的每个“参数”（值）（可选）都处于静止状态。 IAM permissions allow granular access control to specific parameters. IAM权限允许对特定参数进行精细的访问控制。 The values can be up to 4096 characters, each, the hierarchy supports 5 levels, and has nice compliance controls. 该值最多可以包含4096个字符，每个层次结构支持5个级别，并具有良好的合规性控件。 If you change a parameter, it automatically tracks when and who made the change. 如果更改参数，它将自动跟踪进行更改的时间和对象。

The parameter store is available regardless of whether you are actually using anything else in EC2 Systems Manager. 无论您是否实际在EC2 Systems Manager中使用其他任何功能，参数存储都可用。