By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to Remove SANs from Issued Certificate when Using API Passthrough

0

I am using the AWS SDK for Java to request certificates from an AWS Private CA. I am using the BlankEndEntityCertificate_APIPassthrough/V1 template and passing a CSR that contains multiple Subject Alternative Names (SANs).

However, I want the issued certificate not to contain any SANs. In my implementation, I use the Extensions builder and do not explicitly set subjectAlternativeNames. Despite this, the issued certificate still contains the SANs from the CSR.

If I try passing an empty list for subjectAlternativeNames, I get the following error: "Error requesting certificate: 1 validation error detected: Value '[]' at 'apiPassthrough.extensions.subjectAlternativeNames' failed to satisfy constraint: Member must have length greater than or equal to 1 (Service: AcmPca, Status Code: 400)."

Is there a way to remove SANs from the issued certificate via the API Passthrough variables? Ideally, I would like to override or remove them without modifying the original CSR.

Any guidance would be greatly appreciated!

Topics
Security, Identity, & Compliance
Tags
AWS Private Certificate Authority
Language
English
Martin
asked 2 months ago44 views
1 Answer
0

When using the BlankEndEntityCertificate_APIPassthrough/V1 template with AWS Private CA, removing Subject Alternative Names (SANs) from the issued certificate while they are present in the CSR can be challenging. The API Passthrough method generally takes precedence over the CSR values, but it doesn't provide a direct way to remove extensions that are present in the CSR.

However, there are a few approaches you can consider:

  1. Template Priority: The template definition has the highest priority over both API Passthrough values and CSR values. If you can create a custom template that explicitly defines an empty or null SAN extension, this should override the SANs in the CSR.

  2. API Passthrough Override: While you can't pass an empty list for subjectAlternativeNames due to the constraint you encountered, you might be able to pass a single, benign SAN that effectively replaces the multiple SANs from the CSR. This could be a dummy value that you can later ignore or remove if necessary.

  3. CSR Modification: If possible, consider modifying your CSR generation process to exclude SANs. This would be the most straightforward solution, as it eliminates the problem at the source.

  4. Alternative Template: Instead of using the APIPassthrough template, you could try using the BlankEndEntityCertificate_CSRPassthrough/V1 template and then use the API Passthrough to override or remove specific extensions. This might allow more control over which CSR elements are included or excluded.

  5. Custom Extension: As a workaround, you might be able to use a custom extension in the API Passthrough that nullifies or overrides the SAN extension from the CSR.

It's important to note that the exact behavior can depend on the specific implementation of AWS Private CA and the SDK version you're using. If none of these approaches work, you may need to contact AWS support for a more tailored solution or consider modifying your certificate issuance process to align with the constraints of the API Passthrough method.
Sources
How to issue use-case bound certificates with AWS Private CA | AWS Security Blog
Issue private end-entity certificates - AWS Private Certificate Authority

profile picture
re:Post Agent
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content