How do I install AWS Private CA root and subordinate CAs in different accounts or Regions?

4 minute read
4

I want to install AWS Private Certificate Authority root and subordinate CA certificates in different AWS accounts or AWS Regions.

Short description

You can use AWS Private CA to host a private root CA or a private subordinate CA. You can use the AWS Management Console to create and install a private root CA or a subordinate CA certificate that AWS Private CA hosts. However, the private root CA and subordinate CA must be in the same account and Region.

To install a certificate in a different account or Region, you must use the AWS Command Line Interface (AWS CLI) or API. This is because you can't use the AWS Management Console to install a certificate in a different account or Region.

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Note:

  • The following example assumes that you created a Private CA in region1.
  • The example uses the CA type as the private root CA.
  • To use SDKs to make API calls, see the AWS Private CA API reference.
  • Replace region1 and region2 with your Regions.

Create a private subordinate CA in different accounts or Regions

Use the AWS Management Console or AWS CLI to create a subordinate CA.

The following example uses region1 to create a private root CA. The example uses the private root CA in region1 to issue a private subordinate CA in region2.

Install the CA certificate for the private root CA

Use the AWS Management Console or AWS CLI to install the private root CA certificate.

Get the CSR from the subordinate CA

To get the certificate signing request (CSR) from the subordinate CA, run the AWS CLI command get-certificate-authority-csr:

$ aws acm-pca get-certificate-authority-csr \
     --certificate-authority-arn arn:aws:acm-pca:region2:account2:certificate-authority/SUB_CA_ID \
     --output text \
     --region region2 > sub_ca.csr

Use the private root CA in region1 to issue the private subordinate CA certificate

Use the private root CA to sign the CSR, and then use the private root CA to issue the subordinate CA certificate.

Run the AWS CLI command issue-certificate:

$ aws acm-pca issue-certificate \
     --certificate-authority-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID \
     --csr fileb://sub_ca.csr \
     --signing-algorithm SHA256WITHRSA \
     --template-arn arn:aws:acm-pca:::template/subordinateCAcertificate_PathLen0/V1 \
     --validity Value=1095,Type=DAYS \
     --region region1

Note: The preceding template can issue only end-entity certificates because the template has a path length of 0. For a list of all AWS Private CA supported template types, see Understanding certificate templates.

Get the subordinate CA certificate from the private root CA in region1

  1. Run the AWS CLI command get-certificate:

    $ aws acm-pca get-certificate \
         --certificate-authority-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID \
         --certificate-arn arn:aws:acm-pca:region1:account1:certificate-authority/ROOT_CA_ID/certificate/SUB_CERTIFICATE_ID \
         --output text \
         --region region1 > sub_ca_cert.pem

    Example sub_ca_cert.pem file:

    -----BEGIN CERTIFICATE-----
        .....Content of your subordinate CA certificate......
        -----END CERTIFICATE-----    -----BEGIN CERTIFICATE-----
        .....Content of your parent Root CA certificate (Chain)......
        -----END CERTIFICATE-----
  2. The first block of text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the body of the subordinate CA certificate. Enter this block of text into a new file, and then save the file as sub_ca_cert_body.pem.
    Note: You can also use the command-line JSON processor, jq, to parse the certificate and chain into their own files. For more information about how to use jq with the get-certificate AWS CLI command, see Issue a certificate with a custom subject name using an APIPassthrough template.

  3. The second block of text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- is the certificate chain for the subordinate CA certificate. The certificate chain contains the certificate of the issuing private root CA. Enter this block of text into a new file, and then save the file as sub_ca_cert_chain.pem.

Install the subordinate CA certificate in region2

Run the AWS CLI command import-certificate-authority-certificate:

$ aws acm-pca import-certificate-authority-certificate \
     --certificate-authority-arn arn:aws:acm-pca:region2:account2:certificate-authority/SUB_CA_ID \
     --certificate fileb://sub_ca_cert_body.pem \
     --certificate-chain fileb://sub_ca_cert_chain.pem \
     --region region2

The subordinate CA certificate installation is now complete, and you can issue private end-entity certificates in different accounts and Regions.

Related information

Planning for resilience

Give the root CA its own AWS account

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago