Issue private end-entity certificates - AWS Private Certificate Authority

Issue private end-entity certificates

With a private CA in place, you can request private end-entity certificates from either AWS Certificate Manager (ACM) or AWS Private CA. The capabilities of both services are compared in the following table.

Capability

ACM

AWS Private CA

Issue end-entity certificates

✓ (using RequestCertificate or the console)

✓ (using IssueCertificate)

Association with load balancers and internet-facing AWS services

Not supported

Managed certificate renewal Indirectly supported through ACM

Console support

Not supported

API support

CLI support

When AWS Private CA creates a certificate, it follows a template that specifies the certificate type and path length. If no template ARN is supplied to the API or CLI statement creating the certificate, the EndEntityCertificate/V1 template is applied by default. For more information about available certificate templates, see Use AWS Private CA certificate templates.

While ACM certificates are designed around public trust, AWS Private CA serves the needs of your private PKI. Consequently, you can configure certificates using the AWS Private CA API and CLI in ways not permitted by ACM. These include the following:

After creating a private TLS certificate using AWS Private CA, you can import it into ACM and use it with a supported AWS service.

Note

Certificates created with the procedure below, using the issue-certificate command, or with the IssueCertificate API action, cannot be directly exported for use outside AWS. However, you can use your private CA to sign certificates issued through ACM, and those certificates can be exported along with their secret keys. For more information, see Requesting a private certificate and Exporting a private certificate in the ACM User Guide.

Issue a standard certificate (AWS CLI)

You can use the AWS Private CA CLI command issue-certificate or the API action IssueCertificate to request an end-entity certificate. This command requires the Amazon Resource Name (ARN) of the private CA that you want to use to issue the certificate. You must also generate a certificate signing request (CSR) using a program such as OpenSSL.

If you use the AWS Private CA API or AWS CLI to issue a private certificate, the certificate is unmanaged, meaning that you cannot use the ACM console, ACM CLI, or ACM API to view or export it, and the certificate is not automatically renewed. However, you can use the PCA get-certificate command to retrieve the certificate details, and if you own the CA, you can create an audit report.

Considerations when creating certificates

  • In compliance with RFC 5280, the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length.

  • If you are using AWS CLI version 1.6.3 or later, use the prefix fileb:// when specifying base64-encoded input files such as CSRs. This ensures that AWS Private CA parses the data correctly.

The following OpenSSL command generates a CSR and a private key for a certificate:

$ openssl req -out csr.pem -new -newkey rsa:2048 -nodes -keyout private-key.pem

You can inspect the content of the CSR as follows:

$ openssl req -in csr.pem -text -noout

The resulting output should resemble the following abbreviated example:

Certificate Request: Data: Version: 0 (0x0) Subject: C=US, O=Big Org, CN=example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:85:f4:3a:b7:5f:e2:66:be:fc:d8:97:65:3d: a4:3d:30:c6:02:0a:9e:1c:ca:bb:15:63:ca:22:81: 00:e1:a9:c0:69:64:75:57:56:53:a1:99:ee:e1:cd: ... aa:38:73:ff:3d:b7:00:74:82:8e:4a:5d:da:5f:79: 5a:89:52:e7:de:68:95:e0:16:9b:47:2d:57:49:2d: 9b:41:53:e2:7f:e1:bd:95:bf:eb:b3:a3:72:d6:a4: d3:63 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 74:18:26:72:33:be:ef:ae:1d:1e:ff:15:e5:28:db:c1:e0:80: 42:2c:82:5a:34:aa:1a:70:df:fa:4f:19:e2:5a:0e:33:38:af: 21:aa:14:b4:85:35:9c:dd:73:98:1c:b7:ce:f3:ff:43:aa:11: .... 3c:b2:62:94:ad:94:11:55:c2:43:e0:5f:3b:39:d3:a6:4b:47: 09:6b:9d:6b:9b:95:15:10:25:be:8b:5c:cc:f1:ff:7b:26:6b: fa:81:df:e4:92:e5:3c:e5:7f:0e:d8:d9:6f:c5:a6:67:fb:2b: 0b:53:e5:22

The following command creates a certificate. Because no template is specified, a base end-entity certificate is issued by default.

$ aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --csr fileb://csr.pem \ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS"

The ARN of the issued certificate is returned:

{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }
Note

AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.

Issue a certificate with a custom subject name using an APIPassthrough template

In this example, a certificate is issued containing customized subject name elements. In addition to supplying a CSR like the one in Issue a standard certificate (AWS CLI), you pass two additional arguments to the issue-certificate command: the ARN of an APIPassthrough template, and a JSON configuration file that specifies the custom attributes and their object identifiers (OIDs). You cannot use StandardAttributes in conjunction with CustomAttributes. however, you can pass standard OIDs as part of CustomAttributes. The default subject name OIDs are listed in the following table (information from RFC 4519 and Global OID reference database):

Subject name

Abbreviation

Object ID

countryName

c

2.5.4.6

commonName

cn

2.5.4.3

dnQualifier [distinguished name qualifier]

2.5.4.46

generationQualifier

2.5.4.44

givenName

2.5.4.42

initials

2.5.4.43

locality

l

2.5.4.7

organizationName

o

2.5.4.10

organizationalUnitName

ou

2.5.4.11

pseudonym

2.5.4.65

serialNumber

2.5.4.5

st [state]

2.5.4.8

surname

sn

2.5.4.4

title

2.5.4.12

domainComponent

dc

0.9.2342.19200300.100.1.25

userid

0.9.2342.19200300.100.1.1

The sample configuration file api_passthrough_config.txt contains the following code:

{ "Subject": { "CustomAttributes": [ { "ObjectIdentifier": "2.5.4.6", "Value": "US" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.1", "Value": "BCDABCDA12341234" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.5", "Value": "CDABCDAB12341234" } ] } }

Use the following command to issue the certificate:

$ aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10 --signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem \ --api-passthrough file://api_passthrough_config.txt \ --template-arn arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566

The ARN of the issued certificate is returned:

{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }

Retrieve the certificate locally as follows:

$ aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \ jq -r .'Certificate' > cert.pem

You can inspect the certificate's contents using OpenSSL:

$ openssl x509 -in cert.pem -text -noout
Note

It is also possible to create a private CA that passes custom attributes to each certificate it issues.

Issue a certificate with custom extensions using an APIPassthrough template

In this example, a certificate is issued that contains customized extensions. For this you need to pass three arguments to the issue-certificate command: the ARN of an APIPassthrough template, and a JSON configuration file that specifies the custom extensions, and a CSR like the one shown in Issue a standard certificate (AWS CLI).

The sample configuration file api_passthrough_config.txt contains the following code:

{ "Extensions": { "CustomExtensions": [ { "ObjectIdentifier": "2.5.29.30", "Value": "MBWgEzARgg8ucGVybWl0dGVkLnRlc3Q=", "Critical": true } ] } }

The customized certificate is issued as follows:

$ aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10 --signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem \ --api-passthrough file://api_passthrough_config.txt \ --template-arn arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566

The ARN of the issued certificate is returned:

{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }

Retrieve the certificate locally as follows:

$ aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566 \ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID | \ jq -r .'Certificate' > cert.pem

You can inspect the certificate's contents using OpenSSL:

$ openssl x509 -in cert.pem -text -noout