Support for Connected Car Consortium (CCC) certificates?

Hello,

From the query I understand that you would like to know if AWS Private CA supports Connected Car Consortium (CCC) certificates.

I am of the understanding that the Car Connectivity Consortium (CCC) is a standards-based organization designed to interoperate technologies whose goal is to promote in-vehicle connectivity solutions that use portable devices, including the Terminal Mode standard, as well as future technologies such as Near Field Communication (NFC).

Going through the Technical specification documentation [1], I see that CCC recommends the use of X.509 version 3 certificate. AWS Private CA supports X.509 version 3 certificates only and meets this requirement. Below are some of the other specifications I was able to see -

• Application Certificate - The signing Certification Authority should set an expiration date of 10 years from the date of signing, but it shall not be longer than the expiration date of the signing root or intermediate. certificate. Application Certificates shall use 2048-bit RSA keys with SHA-256 or SHA-512 signature algorithms.

• Intermediate Certificate- The Intermediate certificate, which signed by the CCC root CA, shall have a Common Name (CN) in the issuer information, identical to "ACMS CA"; otherwise the certificate shall not be accepted. A valid example issuer information is given below: Issuer: O=Car Connectivity Consortium, CN=ACMS CA

An Intermediate Certificate should have an expiration date of 20 years and any Intermediate Certificate shall use 4096-bit RSA keys with SHA-512 signature algorithms.

• Root Certificate - Expiration date of the root certificate shall be 20 years from the date of signing.Root Certificate shall use 4096-bit RSA keys with SHA-512 signature algorithms.

Looking into the above specification, you can create certificate authorities on AWS Private CA with "RSA_2048" and "RSA_4096" Private Key Algorithms. In addition, it supports "SHA256WITHRSA" and "SHA512WITHRSA" signing algorithms as well. To check all the AWS Private CA supported algorithms, please refer [2]. This list applies only to certificates issued directly by AWS Private CA through its console, API, or command line. When AWS Certificate Manager issues certificates using a CA from AWS Private CA, it supports some but not all of these algorithms.

Coming to the validity of Private certificates, you can use the "IssueCertificate" API/CLI to issue certificates with custom validity (Ex. 10 years, 20 years etc). You can refer the document[3] for more information regarding this.

Hence, based on the requirements and the supported algorithms of AWS Private CA, you can make use of AWS Private CA to create a hierarchy as mentioned in Technical Specifications documents.

Finally regarding custom extensions, you can extend the base template[4] versions by allowing CSR passthrough or API Passthrough. This gives you ability to add custom extensions as per your use case to the resulting certificate issued by Private CA. For any custom extensions that you would like to include in your Private Certificate and the procedure to do so, kindly refer the document[5].

Hope the above information has been helpful in clarifying your concerns. Please do revert back in the case of issues and we shall be happy to help.

Have a great day ahead and stay safe!

=== References ===

[1] TECHNICAL SPECIFICATION CCC https://www.etsi.org/deliver/etsi_ts/103500_103599/10354414/01.03.00_60/ts_10354414v010300p.pdf

[2] Supported cryptographic algorithms https://docs.aws.amazon.com/privateca/latest/userguide/supported-algorithms.html

[3] issue-certificate CLI https://awscli.amazonaws.com/v2/documentation/api/latest/reference/acm-pca/issue-certificate.html

[4] Understanding certificate templates https://docs.aws.amazon.com/privateca/latest/userguide/UsingTemplates.html

[5] Issue a certificate with custom extensions using an APIPassthrough template https://docs.aws.amazon.com/privateca/latest/userguide/PcaIssueCert.html#custom-subject-2