This article describes how to implement AWS Certification Manager (hereon, ACM) as the Root CA for Vault that's expected act an Intermediate CA (hereon, ICA) in the signing of certificates.
Steps:
- Create, configure and install an AWS ACM Private CA. The diagram below demonstrate the AWS ACM Console View of the Active CA.
- Configure Vault via UI.
- Enable PKI secret engine.
-
Within
PKI/configuration
, clickConfigure CA
. - Fill all the possible values and generate a Certificate Signing Request (hereon, CSR), copy the CSR offline/locally. Don't forget to check mark below settings while generating CSR for compatibility.
- Install & Configure AWS CLI.
- Create a
cert_1.csr
file in the current working directory. - To issue a certificate or sign the previously generated CSR, run:
aws acm-pca issue-certificate \
--certificate-authority-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035 \
--csr fileb://cert_1.csr \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=365,Type="DAYS" \
--template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
--region=us-east-2
Note:
-
-
--signing-algorithm
should be similar to what you've configured during the Root CA certificate installation in AWS ACM. -
--validity
should be under or equal to Root CA certificate validity which was selected during the Root CA certificate installation in AWS ACM. -
--template-arn
is necessary to use when issuing a certificate via AWS ACM. If not passed, default will be selected. For thorough details, please refer the articles attached at the end of this KB. -
--region
, AWS region ID where AWS ACM Root CA is created.
-
- An example output from the previous command:
{
"CertificateArn": "arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035/certificate/16a41ec3cc6a3490b45072a51fa0a8c7"
}
- To get a signed certificate proceed to run:
aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035 \
--certificate-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035/certificate/16a41ec3cc6a3490b45072a51fa0a8c7 \
--region=us-east-2 | jq -r .'Certificate' > cert.pem
-
Copy the contents of
cert.pem
generated from the previous step. - On Vault UI, within
PKI/configuration
clickedSet signed intermediate
and paste the content ofcert.pem
and click save. - Now, Vault is configured as
Intermediate CA
with AWS ACM as its Root CA. Following snippets are from Vault UI showcasing the Intermediate CA certificate.