Manage Certificate-based Authentication - Amazon AppStream 2.0

Manage Certificate-based Authentication

After you enable certificate-based authentication, review the following tasks.

Private CA Certificate

In a typical configuration, the private CA certificate has a validity period of 10 years. For more information about replacing a private CA with an expired certificate, or reissuing the private CA with a new validity period, see Managing the private CA lifecycle

End User Certificates

End user certificates issued by AWS Private CA for AppStream 2.0 certificate-based authentication don't require renewal or revocation. These certificates are short-lived. AppStream 2.0 automatically issues a new certificate for each new session, or every 24 hours for sessions with a long duration. The AppStream 2.0 session governs the use of these end user certificates. If you end a session, AppStream 2.0 stops using that certificate. These end user certificates have a shorter validity period than a typical AWS Private CA CRL distribution. As a result, end user certificates don't need to be revoked and won't appear in a CRL.

Audit Reports

You can create an audit report to list all of the certificates that your private CA has issued or revoked. For more information, see Using audit reports with your private CA.

Logging and Monitoring

You can use CloudTrail to record API calls to a private CA by AppStream 2.0. For more information see What Is AWS CloudTrail? and Using CloudTrail. In CloudTrail Event history you can view GetCertificate and IssueCertificate event names from acm-pca.amazonaws.com event source made by the AppStream 2.0 EcmAssumeRoleSession user name. These events will be recorded for every AppStream 2.0 certificate-based authentication request. For more information, see Viewing events with CloudTrail Event history.