How to export a certificate for AWS Private CA in Short-Lived mode


I am setting up certificate based authentication for AWS Workspaces. I have set up a basic AWS Private Certificate Authority for the sole purpose. This CA has one level, Root, and is in Short-lived mode as it is only used for CBA for WorkSpaces.

The documentation states that my next step is to export the private certificate and then load it into Active Directory Certificate server. Directions below:

"Certificate-based authentication utilizes virtual smart cards for logon. Following the Guidelines for enabling smart card logon with third-party certification authorities in Active Directory, perform the following steps:

Configure domain controllers with a domain controller certificate to authenticate smart card users. If you have an Active Directory Certificate Services enterprise CA configured in your Active Directory, domain controllers are automatically enrolled with certificates to enable smart card logon.

On the AWS Private CA console or using the SDK or CLI, select your CA and under the CA certificate, export the CA private certificate. For more information, see Exporting a private certificate.

Publish the CA to Active Directory. Logon to a domain controller or a domain-joined machine. Copy the CA private certificate to any <path><file> and run the following commands as a domain administrator. Alternatively, you can use Group Policy and the Microsoft PKI Health Tool (PKIView) tool to publish the CA. For more information, see Configuration instructions."

The problem I am facing is that there does not seem to be a way to export the certificate. There is no "Export" option in AWS Certificate Manager as the directions state. If I use "Request" to get the certificate then I get the following error: "ACM does not support Private CA short-lived mode">

Does anyone know how I should proceed? The documentation for CBA recommends using short-lived mode so I know it's supported.

1 Answer
Accepted Answer

I think the documentation needs to be updated here because it's 100% not possible to use the ACM console like it mentions here: to export, or even issue a certificate by a PCA (Private CA) in short-lived certificate mode. This is because when you use the ACM console to request a certificate, the setting of the validity of the certificate is always 13 months. PCAs in short-lived mode can only issue certs up to 7 days which is why you get that error.

Also, the ACM console is for issuing end-entity certificates anyways. I think that in that documentation you posted, it wants to you retrieve the CA certificate of the PCA. This can be done by going to the AWS console -> Private CA -> Select your PrivateCA -> then, look for the CA Certificate Tab. The CA certificate should be there in PEM which you can copy. The reason why I think this is the right ways is because the next step is:

-Publish the CA to Active Directory. Copy the CA private certificate to any <path><file> and run the following commands as a domain administrator.

FYI, the only way to issue end-entity certificates from a PCA in short lived mode is to use the IssueCertificate API. That API is not supported in the console and must be made programmatically / CLI.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions