In cryptography, X.509 is an ITU-T standard for public key infrastructure (PKI). X.509 specifies, amongst other things, standard formats for public key certificates and certification path validation algorithm.
AWS does not implement a full Public Key Infrastructure (PKI). The certificate information is used only to authenticate requests to AWS.
AWS accepts any syntactically and cryptographically valid X.509 certificate. AWS will not verify that certificate is not expired or revoked. Certificates can be self-signed or signed by any key. Certificates generated by AWS are self-signed certificates with no expiration time.
Every request to SQS must contain authentication information to establish the identity of the principal making the request. In SOAP, the authentication information is put into the following elements of the SOAP request:
AWSAccessKeyId: Your AWS Access Key ID
Timestamp: This must be a dateTime (http://www.w3.org/TR/xmlschema-2/#dateTime) in the Coordinated Universal Time (Greenwich Mean Time) time zone, such as 2005-01-31T23:59:59.183Z. Authorization will fail if this timestamp is more than 15 minutes away from the clock on AWS servers.
Signature: The RFC 2104 HMAC-SHA1 digest (http://www.ietf.org/rfc/rfc2104.txt) of the concatenation of Operation + Timestamp, using your AWS Secret Access Key as the key. For example, in the following sample request, the signature element would contain the HMAC-SHA1 digest of the value "OperationName2005-01-31T23:59:59.183Z"
Example
<OperationName xmlns="http://service.amazonaws.com/doc/2006-03-01/"> ..< … > <AWSAccessKeyId>1D9FVRAYCP1VJS767E02</AWSAccessKeyId> <Timestamp>2005-01-31T23:59:59.183Z</Timestamp> <Signature>SZf1CHmQ/nrZbsrC13hCZS061yws</Signature> </OperationName>
Note: | Due to different interpretations regarding how extra time precision should be dropped, .NET users should take care not to send overly specific time stamps. This can be accomplished by manually constructing DateTime objects with only millisecond precision. |
You can use your own X.509 certificate or use one generated by AWS. See X.509 Certificate Identifiers for more information.
Signed messages must contain an expiration timestamp, represented as a Expires element within a Timestamp element in the WS-Security header. The Expires element should not have a ValueType attribute, and the Timestamp element may have a Created child element.
SoapContext.Security.Elements collections allow adding various WS-Security conformant elements. The following code sample demonstrates how to sign a request:
Example
X509SecurityToken crtTkn = new X509SecurityToken(cert); wse.RequestSoapContext.Security.Tokens.Add(crtTkn); wse.RequestSoapContext.Security.Elements.Add(new Signature(crtTkn));