Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK

As per https://github.com/aws-samples/amazon-msk-client-authentication,

Amazon MSK utilizes AWS Certificate Manager Private Certificate Authority (ACM PCA) for TLS mutual authentication. For information about Private Certificate Authorities, see Creating and Managing a Private CA and see Certificate Authority for information on Certificate Authorities. The PCA can either be a root Certificate Authority (CA) or a subordinate Certificate Authority. If it is a root CA, you need to install a self-signed certificate (the console provides an easy mechanism to do that). If it is a subordinate CA, you can either choose an ACM PCA root or subordinate CA as the parent or an external CA (in this case, the external CA which can be your own CA will issue the certificate that will be installed as the PCA certificate and become part of the certificate chain). In addition, for Amazon MSK to be able to use the ACM PCA, it needs to be in the same AWS account as the Amazon MSK cluster. However, the Apache Kafka clients, for example, the producers and consumers, schema registries, Kafka Connect or other Apache Kafka tools that need the end-entity certificates can be in an AWS account different from the AWS account that the ACM PCA is in. In that scenario, in order to be able to access the ACM PCA, they need to assume a role in the account the ACM PCA is in and has the required permissions.

Subordinate certificates will work however the root for that chain has to be part of the cluster association.

Here's the step by step to use subordinate CA: https://github.com/aws-samples/msk-third-party-mtls.

Hello,

Per AWS documentation, it is possible to create up to four levels of subordinate certificates with AWS private CA. Subordinate certificate authority can sign other certificate subordinate to them. And end-entities can receive their certificate from these subordinate certificate authorities. In short, yes it is possible to generate a subordinate certificate authority from AWS private CA and end-entities such as MSK can get their certificate from this subordinate certificate authorities.

Please note, "AWS highly recommends using independent AWS Private CA for each MSK cluster when you use mutual TLS to control access. Doing so will ensure that TLS certificates signed by PCAs only authenticate with a single MSK cluster."

For further information please refer the following AWS documentation.

Reference

[1] MSK cluster that supports client authentication: https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html [2] AWS private CA: https://docs.aws.amazon.com/privateca/latest/userguide/ca-hierarchy.html