I want to install AWS Private Certificate Authority root and subordinate CA certificates in different AWS accounts or AWS Regions.
Short description
You can use AWS Private CA to host a private root CA or a private subordinate CA. You can use the AWS Management Console to create and install a private root CA or a subordinate CA certificate that AWS Private CA hosts. However, the private root CA and subordinate CA must be in the same account and Region.
To install a certificate in a different account or Region, you must use the AWS Command Line Interface (AWS CLI) or API. This is because you can't use the AWS Management Console to install a certificate in a different account or Region.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Resolution
Note:
- The following example assumes that you created a Private CA in region1.
- The example uses the CA type as the private root CA.
- To use SDKs to make API calls, see the AWS Private CA API reference.
- Replace region1 and region2 with your Regions.
Create a private subordinate CA in different accounts or Regions
Use the AWS Management Console or AWS CLI to create a subordinate CA.
The following example uses region1 to create a private root CA. The example uses the private root CA in region1 to issue a private subordinate CA in region2.
Install the CA certificate for the private root CA
Use the AWS Management Console or AWS CLI to install the private root CA certificate.
Get the CSR from the subordinate CA
To get the certificate signing request (CSR) from the subordinate CA, run the AWS CLI command get-certificate-authority-csr:
$ aws acm-pca get-certificate-authority-csr \
--certificate-authority-arn arn:aws:acm-pca:region2:account2:certificate-authority/SUB_CA_ID \
--output text \
--region region2 > sub_ca.csr
Use the private root CA in region1 to issue the private subordinate CA certificate
Use the private root CA to sign the CSR, and then use the private root CA to issue the subordinate CA certificate.
Run the AWS CLI command issue-certificate:
$ aws acm-pca issue-certificate \
--certificate-authority-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID \
--csr fileb://sub_ca.csr \
--signing-algorithm SHA256WITHRSA \
--template-arn arn:aws:acm-pca:::template/subordinateCAcertificate_PathLen0/V1 \
--validity Value=1095,Type=DAYS \
--region region1
Note: The preceding template can issue only end-entity certificates because the template has a path length of 0. For a list of all AWS Private CA supported template types, see Understanding certificate templates.
Get the subordinate CA certificate from the private root CA in region1
-
Run the AWS CLI command get-certificate:
$ aws acm-pca get-certificate \
--certificate-authority-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID \
--certificate-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID/certificate/SUB_CERTIFICATE_ID \
--output text \
--region region1 > sub_ca_cert.pem
Example sub_ca_cert.pem file:
-----BEGIN CERTIFICATE-----
.....Content of your subordinate CA certificate......
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
.....Content of your parent Root CA certificate (Chain)......
-----END CERTIFICATE-----
-
The first block of text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the body of the subordinate CA certificate. Enter this block of text into a new file, and then save the file as sub_ca_cert_body.pem.
Note: You can also use the command-line JSON processor, jq, to parse the certificate and chain into their own files. For more information about how to use jq with the get-certificate AWS CLI command, see Issue a certificate with a custom subject name using an APIPassthrough template.
-
The second block of text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the certificate chain for the subordinate CA certificate. The certificate chain contains the certificate of the issuing private root CA. Enter this block of text into a new file, and then save the file as sub_ca_cert_chain.pem.
Install the subordinate CA certificate in region2
Run the AWS CLI command import-certificate-authority-certificate:
$ aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn arn:aws:acm-pca:region2:account2:certificate-authority/SUB_CA_ID \
--certificate fileb://sub_ca_cert_body.pem \
--certificate-chain fileb://sub_ca_cert_chain.pem \
--region region2
The subordinate CA certificate installation is now complete, and you can issue private end-entity certificates in different accounts and Regions.
Related information
Planning for resilience
Give the root CA its own AWS account