Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Using an Intermediate CA with IAM Roles Anywhere

0

I've created a private CA with an intermediate CA signed by the root CA and a user signed by the intermediate. The certs are valid, if I sign a user cert with the root CA, it works and AWS creds are returned, following the exact same process with the user cert signed by the intermediate CA yields a 403 AccessDeniedException.

The intermediate Trust Anchor was created with the cert chain, I've tried with the root above and below the intermediate cert. I've tried with and without a "root" Trust Anchor containing just the root cert.

The documentation doesn't describe the use case I'm attempting to make work, but the aws_signing_helper has an option --intermediates that I've supplied with the full chain, just the intermediate and just the root... all result in the 403.

I am exploring this feature so I can be confident about discussing it with colleagues & customers, the fact that there are no references to intermediate CAs in the docs may well be because this isn't supported, but it'd be nice if the docs reflected that - it doesn't seem an reasonable use of the IAM Roles Anywhere service?

Thanks in advance for thoughts or guidance from the community.

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementSecurity, Identity, & Compliance
Language
English
asked 4 years ago1.1K views
2 Answers
0

3 years later and I have the exact same issue. Trusting an intermediate certificate is an incorrect answer. I need to be able to trust certificates signed by any intermediate from the root. That's the point of trusting the root. The --intermediates option does not help at all, as rswift described.

answered 8 months ago
-1

Intermediate CAs are supported by Roles Anywhere. I have successfully tested this with a private CA setup with a Root and Subordinate CA. A chain certificate comprising the Subordinate CA and Root CA was imported into Roles Anywhere as Trust Anchor. Then, an end entity certificate issued by the Subordinate CA was then used to authenticate successfully with Roles Anywhere without the --intermediates option.

AWS
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content