【AWS CLI Samples】Private CA

Private CA
2024.05.06

The execution of commands is primarily verified in AWS Cloud9.
If you would like to provide command examples, please submit them through the contact form.
You may also use this form to request corrections for the listed command examples.

Create a root CA and a subordinate CA in different AWS accounts

[Account A] Create a root CA

config=$(cat <<EOM
{
    "KeyAlgorithm":"RSA_2048",
    "SigningAlgorithm":"SHA256WITHRSA",
    "Subject":{
       "Country":"US",
       "Organization":"Example Corp",
       "OrganizationalUnit":"Sales",
       "State":"WA",
       "Locality":"Seattle",
       "CommonName":"www.example.com"
    }
 }
EOM
)

aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "ROOT" \
--usage-mode GENERAL_PURPOSE \
--region us-east-1

output

{
    "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"
}

by yuyu

[Account A] Install a certificate in the root CA

ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"

aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $ca_arn \
--region us-east-1 \
--output text > ca.csr

cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://ca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1 \
--validity Value=365,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $cert_arn \
--region us-east-1 \
--output text > cert.pem

aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $ca_arn \
--certificate fileb://cert.pem \
--region us-east-1

output

None

by yuyu

[Account B] Create a subordinate CA in a different region

config=$(cat <<EOM
{
    "KeyAlgorithm":"RSA_2048",
    "SigningAlgorithm":"SHA256WITHRSA",
    "Subject":{
       "Country":"US",
       "Organization":"Example Corp",
       "OrganizationalUnit":"Sales",
       "State":"WA",
       "Locality":"Seattle",
       "CommonName":"www.example.com"
    }
 }
EOM
)

aws acm-pca create-certificate-authority \
--certificate-authority-configuration "$config" \
--certificate-authority-type "SUBORDINATE" \
--region us-east-2

output

{
    "CertificateAuthorityArn": "arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"
}

by yuyu

[Account B] Issue a CSR for the certificate to be installed in the subordinate CA

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn $subca_arn \
--region us-east-2 \
--output text > subca.csr

output

None

by yuyu

[Account A] Issue a certificate from the root CA to be installed in the subordinate CA

ca_arn="arn:aws:acm-pca:us-east-1:111122223333:certificate-authority/11223344-1234-1122-2233-112233445566"

subca_cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $ca_arn \
--csr fileb://subca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
--validity Value=60,Type=DAYS \
--query CertificateArn \
--region us-east-1 \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $ca_arn \
--certificate-arn $subca_cert_arn \
--region us-east-1 \
--output json > subca_cert.pem

cat subca_cert.pem | jq -r '.Certificate' > sub_cert.pem
cat subca_cert.pem | jq -r '.CertificateChain' > sub_chain.pem

output

None

by yuyu

[Account B] Install the certificate in the subordinate CA

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn $subca_arn \
--certificate fileb://sub_cert.pem \
--certificate-chain fileb://sub_chain.pem \
--region us-east-2

output

None

by yuyu

Import a private certificate with an expiration date of 1 month (less than 13 months) into ACM

subca_arn="arn:aws:acm-pca:us-east-2:444455556666:certificate-authority/55667788-5678-3344-4455-778899001122"

openssl req -new -newkey rsa:2048 -nodes -keyout privatekey.key -out private.csr

cert_arn=$(aws acm-pca issue-certificate \
--certificate-authority-arn $subca_arn \
--csr fileb://private.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=30,Type="DAYS" \
--output text)

aws acm-pca get-certificate \
--certificate-authority-arn $subca_arn \
--certificate-arn $cert_arn \
--output json > ca_cert.pem

cat ca_cert.pem | jq -r '.Certificate' > cert.pem
cat ca_cert.pem | jq -r '.CertificateChain' > chain.pem

aws acm import-certificate \
--certificate fileb://cert.pem \
--private-key fileb://privatekey.key \
--certificate-chain fileb://chain.pem

output

{
    "CertificateArn": "arn:aws:acm:us-east-2:444455556666:certificate/cffb8a69-0817-4e04-bfb1-dac7426d6b90"
}

by yuyu

タイトルとURLをコピーしました