Confirmed CA by AWS and compatible with IAM anchor basic constraints

Hello! Thank you for your question!

Based on the question, you are having an error with your external certificate and asking for a confirmed Certificate Authority source that is compatible with creating an IAM Trust Anchor. Depending on the configuration of the external certificate, it may create an error if it is not following AWS standards.

First, please check the following documentation to verify that your external certificate meets AWS requirements: https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html#signature-verification

Some of the main requirements for end entity certificates for authentication are as follows:

• The certificates MUST be X.509v3.

• Basic constraints MUST include CA: false.

• The key usage MUST include Digital Signature.

• The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.

Certificates used as Trust Anchors must satisfy the same requirements for the signature algorithm, but with the following differences:

• The key usage MUST include Certificate Sign, and MAY include CRL Sign. Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere.

• Basic constraints MUST include CA: true.

Please note that there is a difference between public and private CAs, and certificates issued from public CAs cannot be used as Trust Anchors. Therefore the best CA source to generate a certificate is AWS Private CA.

The following steps show how to create a trust anchor:

• Sign in to the IAM Roles Anywhere console

• Choose 'Create a trust anchor'.

• In 'Trust anchor name', enter a name for the trust anchor.

• For 'Certificate authority (CA) source' , do one of the following: - To use an AWS Private CA resource, choose 'AWS Private CA'. In the 'AWS Private CA' table, choose the AWS Private CA resource. - To use another CA, choose 'External certificate bundle'. In 'External certificate bundle', paste your CA certificate body. The certificate must be in Privacy Enhanced Mail (PEM) format.

• (Optional) Customize notification settings based on your public key infrastructure. For more information, see customize notification settings

• Optional) Add metadata to the trust anchor by attaching tags as key-value pairs. For more information, see Tagging AWS resources.

• Choose 'Create a trust anchor'.

For a more detailed error message after creating the certificate, you can also check CloudTrail logs to view the "CreateTrustAnchor" event and see more specific details.

Hopefully, this answers your question!

For more detailed troubleshooting, please check out these resources:

• https://docs.aws.amazon.com/privateca/latest/userguide/ca-best-practices.html

• https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html

• https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html

• https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html