Step 1: Getting a certificate signing request (CSR) from ACM Private CA
If you have created a private subordinate CA that you want to sign with an external CA, you must retrieve a certificate signing request (CSR). Then save it to a file. You can do this using the AWS Management Console or the AWS CLI as discussed in the procedures that follow.
How to obtain a CSR (console): Case 1
Use this procedure if you followed the steps to create a private CA in ACM Private CA and left the Success dialog box open. These procedures assume that while creating the CA, you specified that it was a subordinate CA.
To obtain a CSR (console): Case 1
-
Immediately after ACM Private CA has successfully created your private CA, in the Success! window, choose Install CA certificate.
-
Choose External private CA and Next.
-
On the Export CSR page, the console returns the CSR. Choose Export CSR to a file and save it locally.
-
If you cannot immediately perform the offline steps to obtain a signed certificate from your external signing authority, choose Cancel. Once you possess a signed certificate and a certificate chain, you can use the How to obtain a CSR (console): Case 2 procedure to import them into ACM Private CA.
Otherwise, if you are ready, choose Next.
-
Follow the instructions in Step 2: Signing the private CA certificate.
How to obtain a CSR (console): Case 2
Use this procedure if you followed the steps to create a private CA in ACM Private CA and closed the Success! window by choosing Cancel.
To obtain a CSR (console): Case 2
-
Sign in to your AWS account and open the ACM Private CA console at https://console.aws.amazon.com/acm-pca/home
. -
On the Private certificate authories page, choose your private CA from the list.
-
Choose Actions, Install CA certificate.
-
On the Install subordinate CA certificate page, choose External private CA and Next.
-
The ACM Private CA console returns the CSR. Choose Export CSR to a file and save it locally.
-
Choose Next.
-
Follow the instructions in Step 2: Signing the private CA certificate.
Retrieving a CSR (AWS CLI)
Use this procedure to retrieve a CSR using the AWS Command Line Interface.
To retrieve a CSR (AWS CLI)
-
Use the get-certificate-authority-csr command to retrieve the certificate signing request (CSR) for your private CA. If you want to send the CSR to your display, use the
--output text
option to eliminate CR/LF characters from the end of each line. To send the CSR to a file, use the redirect option (>) followed by a file name.$
aws acm-pca get-certificate-authority-csr \ --certificate-authority-arn arn:aws:acm-pca:
region
:account
:certificate-authority/CA_ID
\ --output text -
Follow the instructions in Step 2: Signing the private CA certificate.
After saving a CSR as a local file, you can inspect it by using the following
OpenSSL
openssl req -in
path_to_CSR_file
-text -noout
This command generates output similar to the following. Notice that the CA extension is TRUE
, indicating that the
CSR is for a CA certificate.
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=ExampleCompany, OU=Corporate Office, CN=Example CA 1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:23:51:b3:dd:01:09:01:0b:4c:59:e4:ea:81:
1d:7f:48:36:ef:2a:e9:45:82:ec:95:1d:c6:d7:c9:
7f:19:06:73:c5:cd:63:43:14:eb:c8:03:82:f8:7b:
c7:89:e6:8d:03:eb:b6:76:58:70:f2:cb:c3:4c:67:
ea:50:fd:b9:17:84:b8:60:2c:64:9d:2e:d5:7d:da:
46:56:38:34:a9:0d:57:77:85:f1:6f:b8:ce:73:eb:
f7:62:a7:8e:e6:35:f5:df:0c:f7:3b:f5:7f:bd:f4:
38:0b:95:50:2c:be:7d:bf:d9:ad:91:c3:81:29:23:
b2:5e:a6:83:79:53:f3:06:12:20:7e:a8:fa:18:d6:
a8:f3:a3:89:a5:a3:6a:76:da:d0:97:e5:13:bc:84:
a6:5c:d6:54:1a:f0:80:16:dd:4e:79:7b:ff:6d:39:
b5:67:56:cb:02:6b:14:c3:17:06:0e:7d:fb:d2:7e:
1c:b8:7d:1d:83:13:59:b2:76:75:5e:d1:e3:23:6d:
8a:5e:f5:85:ca:d7:e9:a3:f1:9b:42:9f:ed:8a:3c:
14:4d:1f:fc:95:2b:51:6c:de:8f:ee:02:8c:0c:b6:
3e:2d:68:e5:f8:86:3f:4f:52:ec:a6:f0:01:c4:7d:
68:f3:09:ae:b9:97:d6:fc:e4:de:58:58:37:09:9a:
f6:27
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
c5:64:0e:6c:cf:11:03:0b:b7:b8:9e:48:e1:04:45:a0:7f:cc:
a7:fd:e9:4d:c9:00:26:c5:6e:d0:7e:69:7a:fb:17:1f:f3:5d:
ac:f3:65:0a:96:5a:47:3c:c1:ee:45:84:46:e3:e6:05:73:0c:
ce:c9:a0:5e:af:55:bb:89:46:21:92:7b:10:96:92:1b:e6:75:
de:02:13:2d:98:72:47:bd:b1:13:1a:3d:bb:71:ae:62:86:1a:
ee:ae:4e:f4:29:2e:d6:fc:70:06:ac:ca:cf:bb:ee:63:68:14:
8e:b2:8f:e3:8d:e8:8f:e0:33:74:d6:cf:e2:e9:41:ad:b6:47:
f8:2e:7d:0a:82:af:c6:d8:53:c2:88:a0:32:05:09:e0:04:8f:
79:1c:ac:0d:d4:77:8e:a6:b2:5f:07:f8:1b:e3:98:d4:12:3d:
28:32:82:b5:50:92:a4:b2:4c:28:fc:d2:73:75:75:ff:10:33:
2c:c0:67:4b:de:fd:e6:69:1c:a8:bb:e8:31:93:07:35:69:b7:
d6:53:37:53:d5:07:dd:54:35:74:50:50:f9:99:7d:38:b7:b6:
7f:bd:6c:b8:e4:2a:38:e5:04:00:a8:a3:d9:e5:06:38:e0:38:
4c:ca:a9:3c:37:6d:ba:58:38:11:9c:30:08:93:a5:62:00:18:
d1:83:66:40