DEV Community

Arun Kumar for AWS Community Builders

Posted on

ACM PCA implementation

Goal

Generate private cert for all accounts so that all internal applications can use this cert.

Analysis

TLDR

a. Choose an account to centralize one Root CA and another account for one Subordinate CA, use only ACM generated certificate to be eligible for managed renewal.

b. Give other accounts permission to request Private Certificates, to export it, and then to import it to ACM or Secrets Manager in its own account. For on-premise, after issuing Private Certificate, export it and then store in on-premise Vault.

c. Renew by repeating step (2) after the certificates are renewed in the central account.

d. With this arrangement, cost will be 2 x $400 plus $0.75 per Private Certificate stored in ACM which will be less than if you were to host ACM PCA in every accounts.

Long story

First off, there are two types of ACM PCA certificate:

a) Generated by ACM (“ACM private CA”), you must use Root CA in ACM PCA

b) Imported from on-prem PKI (“External private CA”), you must import CA signed by Root CA that you own on-premise. ACM will generate a CSR for you — note this will not be eligible for managed renewal

  • Root CA in ACM PCA will always use certificate generated by ACM.

  • For both types of PCA certificate, you can get their certificate body and certificate chain in PEM format, suitable for web servers such as Apache and Nginx. Root CA doesn’t have cert chain (because it has no parent) so you can only get its certificate body.

  • PCA certificate imported from on-prem PKI means you have its private key (case #2 above).

The main reasons you want PCA in ACM are:

a) You want to produce end-entity Private Certificate signed by ACM PCA for use in AWS resources such as ELB, Cloudfront, and API GW

b) You want ACM to manage renewal for you

Private Certificate signed by ACM PCA can be exported. You will be able to download its certificate body, chain, and passphrase-protected private key, all in PEM format.

Pricing Estimates

a. $400 per PCA “hosted” in ACM per month
[https://aws.amazon.com/certificate-manager/pricing/]

b. $0.75 per Private Certificate created in ACM (first 1000 cert)

  • Now you want to use certificates in the other account, and we want to keep cost to minimum (e.g. as little PCA hosted in ACM as possible).

  • For Production environment, best practice is minimize use of Root CA by having at least one Subordinate CA to sign the end-entity certificates. So Root CA > Subordinate CA > End-entity Certificate. In ACM PCA case: ACM Root PCA > ACM Subordinate PCA > ACM Private Certificate. You may have more than one levels of Subordinate CA depending on hierarchy of the organization and to allow delegation.

  • The most cost effective way to achieve this is to centralize the PCAs in a single account, and provide cross-account permission for other accounts to request private certificates. The other accounts then will export the Private Certificate, and then:

a) Import it as an ACM certificate in its own account so you can use it with ELB, Cloudfront, or API GW.

b) Store the cert body, private key, and chain in Secrets Manager for use with applications in EC2 instances such as Apache.

Ref

[https://forums.aws.amazon.com/thread.jspa?threadID=291254]

  • Note you can narrow down the permission to use CA for least privilege.

  • For on-premise, you will export the Private Cert and then store it in on-premise secret management solution like Vault. There is no cost associated once you have exported the Private Certificate.

Compliance Validation

Third-party auditors assess the security and compliance of AWS Certificate Manager Private Certificate Authority as part of multiple AWS compliance programs. These include SOC, PCI, FedRAMP, HIPAA, and others.

[https://docs.aws.amazon.com/acm-pca/latest/userguide/security-compliance-validation.html]

Design

In one Account, you would have

  • One Root ACM PCA with long expiry, say 10 yrs

In another account, you would have

  • One Subordinate ACM PCA with shorter expiry, say 5 yrs
    Requested Private Certificates in ACM signed by the PCA in this same account

  • All of the above will be eligible for managed renewal. As they are not associated with any ELB in Automation Accounts, Private Certificates need to be exported for it to be eligible for managed renewal.

In the destination account, you would have:

  • Imported Private Certificates in ACM to use with ELB.

  • Note — Imported certs are not automatically managed for renewal by ACM.

For rotation of keys, if it is Managed Rotation, the cert will be automatically rotated by ACM a month before expiry. The cert has to be ACM-generated (ACM has access to the private key).

For OnPrem, you would have to rotate it manually as they won’t be managed by ACM.

Notification will be sent to the account email address one month before expiry.

The cost associated will be 2 x $400 / month, plus $0.75 per private certificates in Automation and other accounts, and no cost for any exported certificates being used in onprem.

Note: After managed renewal, the other accounts have to export the Private Certificate from Source account and Re-import into ACM or Secrets Manager into their destination accounts. We can also write an Automation Document or Lambda function to automate this process. Apps in EC2 instances will need to be restarted after that.

Limitation

AWS support cross account PCAs. But there is a limitation.

You can configure Subordinate CA in centralised account, request and export the certs in same account and then import it onto a destination account finally. By this, you will get the certs in your destination accounts. But the only limitation with this is ACM doesn’t provide managed renewals for imported certificates. No timelines as of now for this feature request.

Validate certificate in browser

  • Download the RootCA certificate.
  • Upload the certificate to your Keychain Access
  • Go to Trust -> Always Trust
  • Revoke the Certificate
  • Requested Certs can be revoked using CLI or API.

CLI:

[https://docs.aws.amazon.com/cli/latest/reference/acm-pca/revoke-certificate.html]

API:

[https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_RevokeCertificate.html]

Imported certificates are dealt with a third party CA that you have requested your certificate from. You will not be able to revoke the certificate directly from ACM. However, you can delete the certificate from ACM.

Top comments (0)