Issuing private end-entity certificates
With a private CA in place, you can request private end-entity certificates from either AWS Certificate Manager (ACM) or AWS Private CA. The capabilities of both services are compared in the following table.
|
Capability |
ACM |
AWS Private CA |
|---|---|---|
|
Issue end-entity certificates |
✓ (using RequestCertificate or the console) |
✓ (using IssueCertificate) |
|
Association with load balancers and internet-facing AWS services |
✓ |
Not supported |
| Managed certificate renewal | ✓ | Indirectly supported through ACM |
|
Console support |
✓ |
Not supported |
|
API support |
✓ |
✓ |
|
CLI support |
✓ |
✓ |
When AWS Private CA creates a certificate, it follows a template that specifies the certificate type and path length. If no template ARN is supplied to the API or CLI statement creating the certificate, the EndEntityCertificate/V1 template is applied by default. For more information about available certificate templates, see Understanding certificate templates.
While ACM certificates are designed around public trust, AWS Private CA serves the needs of your private PKI. Consequently, you can configure certificates using the AWS Private CA API and CLI in ways not permitted by ACM. These include the following:
-
Creating a certificate with any Subject name.
-
Using any of the supported private key algorithms and key lengths.
-
Using any of the supported signing algorithms.
-
Specifying any validity period for your private CA and private certificates.
After creating a private TLS certificate using AWS Private CA, you can import it into ACM and use it with a supported AWS service.
Note
Certificates created with the procedure below, using the issue-certificate command, or with the IssueCertificate API action, cannot be directly exported for use outside AWS. However, you can use your private CA to sign certificates issued through ACM, and those certificates can be exported along with their secret keys. For more information, see Requesting a private certificate and Exporting a private certificate in the ACM User Guide.
Issuing a standard certificate (AWS CLI)
You can use the AWS Private CA CLI command issue-certificate or the API action
IssueCertificate to
request an end-entity certificate. This command requires the Amazon Resource Name (ARN)
of the private CA that you want to use to issue the certificate. You must also generate
a certificate signing request (CSR) using a program such as OpenSSL
If you use the AWS Private CA API or AWS CLI to issue a private certificate, the certificate is unmanaged, meaning that you cannot use the ACM console, ACM CLI, or ACM API to view or export it, and the certificate is not automatically renewed. However, you can use the PCA get-certificate command to retrieve the certificate details, and if you own the CA, you can create an audit report.
Considerations when creating certificates
In compliance with RFC 5280
, the length of the domain name (technically, the Common Name) that you provide cannot exceed 64 octets (characters), including periods. To add a longer domain name, specify it in the Subject Alternative Name field, which supports names up to 253 octets in length. -
If you are using AWS CLI version 1.6.3 or later, use the prefix
fileb://when specifying base64-encoded input files such as CSRs. This ensures that AWS Private CA parses the data correctly.
The following OpenSSL command generates a CSR and a private key for a certificate:
$openssl req -outcsr.pem-new -newkey rsa:2048-nodes -keyoutprivate-key.pem
You can inspect the content of the CSR as follows:
$openssl req -incsr.pem-text -noout
The resulting output should resemble the following abbreviated example:
Certificate Request: Data: Version: 0 (0x0) Subject: C=US, O=Big Org, CN=example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ca:85:f4:3a:b7:5f:e2:66:be:fc:d8:97:65:3d: a4:3d:30:c6:02:0a:9e:1c:ca:bb:15:63:ca:22:81: 00:e1:a9:c0:69:64:75:57:56:53:a1:99:ee:e1:cd: ... aa:38:73:ff:3d:b7:00:74:82:8e:4a:5d:da:5f:79: 5a:89:52:e7:de:68:95:e0:16:9b:47:2d:57:49:2d: 9b:41:53:e2:7f:e1:bd:95:bf:eb:b3:a3:72:d6:a4: d3:63 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha256WithRSAEncryption 74:18:26:72:33:be:ef:ae:1d:1e:ff:15:e5:28:db:c1:e0:80: 42:2c:82:5a:34:aa:1a:70:df:fa:4f:19:e2:5a:0e:33:38:af: 21:aa:14:b4:85:35:9c:dd:73:98:1c:b7:ce:f3:ff:43:aa:11: .... 3c:b2:62:94:ad:94:11:55:c2:43:e0:5f:3b:39:d3:a6:4b:47: 09:6b:9d:6b:9b:95:15:10:25:be:8b:5c:cc:f1:ff:7b:26:6b: fa:81:df:e4:92:e5:3c:e5:7f:0e:d8:d9:6f:c5:a6:67:fb:2b: 0b:53:e5:22
The following command creates a certificate. Because no template is specified, a base end-entity certificate is issued by default.
$aws acm-pca issue-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566\ --csr fileb://csr.pem\ --signing-algorithm "SHA256WITHRSA" \ --validity Value=365,Type="DAYS"
The ARN of the issued certificate is returned:
{
"CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}Note
AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.
Issue a certificate with a custom subject name using an APIPassthrough template
In this example, a certificate is issued containing customized subject name elements.
In addition to supplying a CSR like the one in Issuing a standard certificate (AWS CLI), you pass two additional arguments to the
issue-certificate command: the ARN of an APIPassthrough template,
and a JSON configuration file that specifies the custom attributes and their object
identifiers (OIDs). You cannot use StandardAttributes in conjunction with
CustomAttributes. however, you can pass standard OIDs as part of
CustomAttributes. The default subject name OIDs are listed in the
following table (information from RFC 4519
|
Subject name |
Abbreviation |
Object ID |
|---|---|---|
|
countryName |
c |
2.5.4.6 |
|
commonName |
cn |
2.5.4.3 |
|
dnQualifier [distinguished name qualifier] |
2.5.4.46 |
|
|
generationQualifier |
2.5.4.44 |
|
|
givenName |
2.5.4.42 |
|
|
initials |
2.5.4.43 |
|
|
locality |
l |
2.5.4.7 |
|
organizationName |
o |
2.5.4.10 |
|
organizationalUnitName |
ou |
2.5.4.11 |
|
pseudonym |
2.5.4.65 |
|
|
serialNumber |
2.5.4.5 |
|
|
st [state] |
2.5.4.8 |
|
|
surname |
sn |
2.5.4.4 |
|
title |
2.5.4.12 |
|
|
domainComponent |
dc |
0.9.2342.19200300.100.1.25 |
|
userid |
0.9.2342.19200300.100.1.1 |
The sample configuration file api_passthrough_config.txt contains the
following code:
{ "Subject": { "CustomAttributes": [ { "ObjectIdentifier": "2.5.4.6", "Value": "US" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.1", "Value": "BCDABCDA12341234" }, { "ObjectIdentifier": "1.3.6.1.4.1.37244.1.5", "Value": "CDABCDAB12341234" } ] } }
Use the following command to issue the certificate:
$aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10--signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem\ --api-passthrough file://api_passthrough_config.txt\ --template-arn arn:aws:acm-pca:::template/BlankEndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566
The ARN of the issued certificate is returned:
{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }
Retrieve the certificate locally as follows:
$aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566\ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID| \ jq -r .'Certificate' >cert.pem
You can inspect the certificate's contents using OpenSSL:
$openssl x509 -incert.pem-text -noout
Note
It is also possible to create a private CA that passes custom attributes to each certificate it issues.
Issue a certificate with custom extensions using an APIPassthrough template
In this example, a certificate is issued that contains customized extensions. For this you need to pass three arguments to the issue-certificate command: the ARN of an APIPassthrough template, and a JSON configuration file that specifies the custom extensions, and a CSR like the one shown in Issuing a standard certificate (AWS CLI).
The sample configuration file api_passthrough_config.txt contains the
following code:
{ "Extensions": { "CustomExtensions": [ { "ObjectIdentifier": "2.5.29.30", "Value": "MBWgEzARgg8ucGVybWl0dGVkLnRlc3Q=", "Critical": true } ] } }
The customized certificate is issued as follows:
$aws acm-pca issue-certificate \ --validity Type=DAYS,Value=10 --signing-algorithm "SHA256WITHRSA" \ --csr fileb://csr.pem\ --api-passthrough file://api_passthrough_config.txt\ --template-arn arn:aws:acm-pca:::template/EndEntityCertificate_APIPassthrough/V1 \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566
The ARN of the issued certificate is returned:
{
"CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}Retrieve the certificate locally as follows:
$aws acm-pca get-certificate \ --certificate-authority-arn arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566\ --certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID| \ jq -r .'Certificate' >cert.pem
You can inspect the certificate's contents using OpenSSL:
$openssl x509 -incert.pem-text -noout
