By using AWS re:Post, you agree to the Terms of Use
/Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK/

Using a subordinate certificate authority from ACM Private CA for mTLS client certificate authentication with MSK

0

To use mTLS for authentication to AWS managed kafka (MSK) you need to use an AWS private certificate authority to generate the client certificates as per this document

https://docs.aws.amazon.com/msk/latest/developerguide/msk-authentication.html

Is it possible to generate a subordinate certificate authority from the Private CA that MSK trusts and generate the client certificates from that subordinate CA from another tool ?

1 Answers
0

As per https://github.com/aws-samples/amazon-msk-client-authentication,

Amazon MSK utilizes AWS Certificate Manager Private Certificate Authority (ACM PCA) for TLS mutual authentication. For information about Private Certificate Authorities, see Creating and Managing a Private CA and see Certificate Authority for information on Certificate Authorities. The PCA can either be a root Certificate Authority (CA) or a subordinate Certificate Authority. If it is a root CA, you need to install a self-signed certificate (the console provides an easy mechanism to do that). If it is a subordinate CA, you can either choose an ACM PCA root or subordinate CA as the parent or an external CA (in this case, the external CA which can be your own CA will issue the certificate that will be installed as the PCA certificate and become part of the certificate chain). In addition, for Amazon MSK to be able to use the ACM PCA, it needs to be in the same AWS account as the Amazon MSK cluster. However, the Apache Kafka clients, for example, the producers and consumers, schema registries, Kafka Connect or other Apache Kafka tools that need the end-entity certificates can be in an AWS account different from the AWS account that the ACM PCA is in. In that scenario, in order to be able to access the ACM PCA, they need to assume a role in the account the ACM PCA is in and has the required permissions.

Subordinate certificates will work however the root for that chain has to be part of the cluster association.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions