Vault as an Intermediate CA with AWS Certificate Manager as the Root CA.

Avatar
Akash Gupta
  • Updated

This article describes how to implement AWS Certification Manager (hereon, ACM) as the Root CA for Vault that's expected to act as an Intermediate CA (hereon, ICA) in the signing of certificates.

Steps:

  • Create, configure, and install an AWS ACM Private CA. The diagram below demonstrates the AWS ACM Console View of the Active CA.

mceclip0.png

  • Configure Vault via UI.
    • Enable PKI secret engine.
    • Within PKI/configuration, click Configure PKI.
    • Select "Generate intermediate CSR" 
    • Fill all the possible values and generate a Certificate Signing Request (hereon, CSR), copy the CSR offline/locally. Don't forget to check mark below settings while generating CSR for compatibility.

mceclip0.png

  • Install and configure AWS CLI.
  • Create a cert_1.csr file in the current working directory.
  • To issue a certificate or sign the previously generated CSR, run:  
    aws acm-pca issue-certificate \
      --certificate-authority-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035 \
      --csr fileb://cert_1.csr \
      --signing-algorithm "SHA256WITHRSA" \
      --validity Value=365,Type="DAYS" \
      --template-arn arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 \
      --region=us-east-2

Note:

    • --signing-algorithm should be similar to what you've configured during the Root CA certificate installation in AWS ACM.
    • --validity should be under or equal to Root CA certificate validity which was selected during the Root CA certificate installation in AWS ACM.
    • --template-arn is necessary to use when issuing a certificate via AWS ACM. If not passed, the default will be selected. For thorough details, please refer to the articles attached at the end of this KB.
    • --region, AWS region ID where AWS ACM Root CA is created.
  • An example output from the previous command: 
    {
      "CertificateArn": "arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035/certificate/16a41ec3cc6a3490b45072a51fa0a8c7"
    }
  • To get a signed certificate proceed to run: 
    aws acm-pca get-certificate \
      --certificate-authority-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035 \
      --certificate-arn arn:aws:acm-pca:us-east-2:401849981054:certificate-authority/d16329b2-5867-4a0f-a8d9-fb0d0be80035/certificate/16a41ec3cc6a3490b45072a51fa0a8c7 \
      --region=us-east-2 | jq -r .'Certificate' > cert.pem
  • Copy the contents of cert.pem generated from the previous step.
  • On Vault UI, within PKI/configuration clicked Set signed intermediate and paste the content of cert.pem and click save.
  • Now, Vault is configured as Intermediate CA with AWS ACM as its Root CA. The following snippets are from Vault UI showcasing the Intermediate CA certificate.

mceclip2.png

mceclip5.png

mceclip4.png

Reference Articles:

  1. Vault - Generate Intermediate CA
  2. What is ACM Private CA?
  3. Issuing private end-entity certificates
  4. Understanding certificate templates
  5. Getting started with the AWS CLI

Articles in this section

See more

Related articles