Ir para o conteúdo
Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post
sobre o re:Post

Using an Intermediate CA with IAM Roles Anywhere

0

I've created a private CA with an intermediate CA signed by the root CA and a user signed by the intermediate. The certs are valid, if I sign a user cert with the root CA, it works and AWS creds are returned, following the exact same process with the user cert signed by the intermediate CA yields a 403 AccessDeniedException.

The intermediate Trust Anchor was created with the cert chain, I've tried with the root above and below the intermediate cert. I've tried with and without a "root" Trust Anchor containing just the root cert.

The documentation doesn't describe the use case I'm attempting to make work, but the aws_signing_helper has an option --intermediates that I've supplied with the full chain, just the intermediate and just the root... all result in the 403.

I am exploring this feature so I can be confident about discussing it with colleagues & customers, the fact that there are no references to intermediate CAs in the docs may well be because this isn't supported, but it'd be nice if the docs reflected that - it doesn't seem an reasonable use of the IAM Roles Anywhere service?

Thanks in advance for thoughts or guidance from the community.

Tópicos
Segurança, identidade e conformidade
Tags
AWS Identity and Access ManagementSegurança, identidade e conformidade
Idioma
English
feita há 4 anos1,1 mil visualizações
2 Respostas
0

3 years later and I have the exact same issue. Trusting an intermediate certificate is an incorrect answer. I need to be able to trust certificates signed by any intermediate from the root. That's the point of trusting the root. The --intermediates option does not help at all, as rswift described.

respondido há 9 meses
-1

Intermediate CAs are supported by Roles Anywhere. I have successfully tested this with a private CA setup with a Root and Subordinate CA. A chain certificate comprising the Subordinate CA and Root CA was imported into Roles Anywhere as Trust Anchor. Then, an end entity certificate issued by the Subordinate CA was then used to authenticate successfully with Roles Anywhere without the --intermediates option.

AWS
respondido há 4 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Conteúdo relevante