AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK

0

To use mTLS for authentication to AWS managed kafka (MSK) you need to use an AWS private certificate authority to generate the client certificates as per this document

https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

Is it possible to generate a subordinate certificate authority from the Private CA that MSK trusts and generate the client certificates from that subordinate CA from another tool ?

3개 답변
0

As per https://github.com/aws-samples/amazon-msk-client-authentication,

Amazon MSK utilizes AWS Certificate Manager Private Certificate Authority (ACM PCA) for TLS mutual authentication. For information about Private Certificate Authorities, see Creating and Managing a Private CA and see Certificate Authority for information on Certificate Authorities. The PCA can either be a root Certificate Authority (CA) or a subordinate Certificate Authority. If it is a root CA, you need to install a self-signed certificate (the console provides an easy mechanism to do that). If it is a subordinate CA, you can either choose an ACM PCA root or subordinate CA as the parent or an external CA (in this case, the external CA which can be your own CA will issue the certificate that will be installed as the PCA certificate and become part of the certificate chain). In addition, for Amazon MSK to be able to use the ACM PCA, it needs to be in the same AWS account as the Amazon MSK cluster. However, the Apache Kafka clients, for example, the producers and consumers, schema registries, Kafka Connect or other Apache Kafka tools that need the end-entity certificates can be in an AWS account different from the AWS account that the ACM PCA is in. In that scenario, in order to be able to access the ACM PCA, they need to assume a role in the account the ACM PCA is in and has the required permissions.

Subordinate certificates will work however the root for that chain has to be part of the cluster association.

답변함 3년 전
0

Here's the step by step to use subordinate CA: https://github.com/aws-samples/msk-third-party-mtls.

답변함 2년 전
0

Hello,

Per AWS documentation, it is possible to create up to four levels of subordinate certificates with AWS private CA. Subordinate certificate authority can sign other certificate subordinate to them. And end-entities can receive their certificate from these subordinate certificate authorities. In short, yes it is possible to generate a subordinate certificate authority from AWS private CA and end-entities such as MSK can get their certificate from this subordinate certificate authorities.

Please note, "AWS highly recommends using independent AWS Private CA for each MSK cluster when you use mutual TLS to control access. Doing so will ensure that TLS certificates signed by PCAs only authenticate with a single MSK cluster."

For further information please refer the following AWS documentation.

Reference

[1] MSK cluster that supports client authentication: https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html [2] AWS private CA: https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html

AWS
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인