Secure internal services with SSL using AWS private hosted zone with private certificate
Step 1:
Generate your Private CA on AWS Certificate Manager
Step 2:
Generates a CSR and a private key for a certificate by using OpenSSL:
openssl req -out csr.pem -new -newkey rsa:2048 -nodes -keyout private-key.pem
The directory now includes:
private-key.pem
csr.pem
Keep these 2 files, we will use it later.
Step 3:
Inspect the
csr.pem:openssl req -in csr.pem -text -noout
Step 4:
Issue the certificate using issue-certificate command:
aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://csr.pem --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234
The issues certificate will not live in AWS Certificate Manager immediately, after the creation it will just hanging around the VPC until you actually import it manually into the AWS Certificate
The following output will show:
{ "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID" }
AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.
Step 5:
Save the certificate body and certificate chain as .pem files using the following commands (use the certificate arn above)
- Certificate chain:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem
- Certificate body:
aws acm-pca get-certificate --certificate-authority-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem
Step 6: The actual import of certificate:
Two ways:
- Import manually in AWS Certificate Manager console
- Import using import-certificate command:
aws acm import-certificate --certificate fileb://certfile.pem --private-key file://private-key.pem --certificate-chain file://certchain.pem
Step 7:
Finally attach the created private certificate to any AWS Integrated Services, in this case I will attach it with a target listener on port 443. Route53 domain A record needs to be configured as well.
