Questions tagged with AWS Certificate Manager

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

mutual TLS authentication for Amazon API Gateway - With my existing public key infrastructure (PKI) standard.

Hello Team, I am trying to enable mTLS for Amazon API Gateway for my endpoint, and I have my existing public key (PKI) for my domain (.crt & .key)..While using to upload my existing root CA public key in S3 bucket, I am getting some error like "API Gateway couldn’t build a unique path from the given certificate to a root certificate". I am following the setup using this link, Ref : https://aws.amazon.com/blogs/compute/introducing-mutual-tls-authentication-for-amazon-api-gateway/ Note : I am not using the openssl to generate the RootCA.pem & RootCA.key. Step 1: (SKIP) Create the private certificate authority (CA) private and public keys: openssl genrsa -out RootCA.key 4096 openssl req -new -x509 -days 3650 -key RootCA.key -out RootCA.pem Step 2: Create client certificate private key and certificate signing request (CSR): openssl genrsa -out my_client.key 2048 openssl req -new -key my_client.key -out my_client.csr Step 3: Sign the newly created client cert by using your certificate authority you previously created: openssl x509 -req -in my_client.csr -CA RootCA.pem -CAkey RootCA.key -set_serial 01 -out my_client.pem -days 3650 -sha256 Step 4: I have a minimum of five files in my directory RootCA.key (root CA private key) RootCA.pem (root CA public key) my_client.csr (client certificate signing request) my_client.key (client certificate private key) my_client.pem (client certificate public key) Step 5: Prepare a PEM-encoded trust store file for all certificate authority public keys you want to use with mutual TLS: cp RootCA.pem truststore.pem Step 6: Upload the trust store file to an Amazon S3 bucket in the same AWS account as our API Gateway API. aws s3 mb s3://your-name-ca-truststore --region us-east-1 #creates a new S3 bucket – skip if using existing bucket aws s3api put-bucket-versioning --bucket your-name-ca-truststore --versioning-configuration Status=Enabled #enables versioning on S3 bucket aws s3 cp truststore.pem s3://your-name-ca-truststore/truststore.pem #uploads object to S3 bucket Step 7: Enabling mutual TLS on a custom domain name I have in AWS API gateway console, While I upload my existing root CA public key in S3 bucket, I am getting some error like Error : "API Gateway couldn’t build a unique path from the given certificate to a root certificate". Error : "There is an invalid certificate in your truststore bundle Mutual TLS is still enabled, but some clients might not be able to access your API. Upload a new truststore bundle version to S3, and then update your domain name to use the new version."
1
answers
0
votes
11
views
asked 2 days ago

How can I use Cloudfront with a root domain name?

I set up a Cloudfront distribution. I use a non-AWS domain registrar and DNS. I want my distribution to respond to "https://mydomain.com", but there is a problem. Cloudfront provides a domain name and asks you to create a CNAME record in DNS, but you can't create a CNAME record that points to the root domain or "@", like you can with a regular A record. To get around the problem, I set up "www.mydomain.com" as the CNAME record. If I type "https://www.mydomain.com" into my browser it works, but of course "mydomain.com" without "www" does not work. The next thing I did was create a permanent redirect in DNS that should redirect mydomain.com to www.mydomain.com. Now I can type "http://mydomain.com" and it redirects to www.mydomain.com and it works. But if I type "https://mydomain.com" (with HTTPS instead of HTTP) it does not work. I presume that this is because whatever server is implementing the redirect (I use GoDaddy) doesn't have my SSL certificate so the connection can't be made. I'm not sure how to resolve this problem. What I need, I think, is some web server that is on a fixed IP address and also has my SSL certificate, and can simply respond to all requests with the permanent redirect response. The only way I can think of to do this in AWS would be to set up an entire EC2 instance with my own web server, which is a lot of work and cost. Is there a better solution? My company doesn't want to move our DNS or domain registration to AWS, so using something like Route 53 is probably not an option. Thanks, Frank
1
answers
0
votes
25
views
Frank
asked 5 days ago

AWS Certificate Manager Pending Validation when DNS validation is successful

I'm attempting to renew a certificate created in AWS Certificate Manager (ACM), but I'm stuck in the dreadful PENDING_VALIDATION status; this is a DNS validated certificate where I validated using the CNAME record. Under domains I can see the domain validation has a status of Success and Renewal Status of Success If I run aws acm describe-certificate --certificate-arn "examplearn", I get a return showing DomainValidationOptions with the ValidationStatus being success for the CNAME validation. Replaced with "example" for sensitive values ``` { "Certificate": { "CertificateArn": "arn:aws:acm:us-east-1:example:certificate/certid", "DomainName": "*.example.com", "SubjectAlternativeNames": [ "*.example.com" ], "DomainValidationOptions": [ { "DomainName": "*.example.com", "ValidationDomain": "*.example.com", "ValidationStatus": "SUCCESS", "ResourceRecord": { "Name": "examplename", "Type": "CNAME", "Value": "examplevalue" }, "ValidationMethod": "DNS" } ], "Serial": "", "Subject": "CN=*.example.com", "Issuer": "Amazon", "CreatedAt": "2019-01-17T12:53:01-08:00", "IssuedAt": "2021-10-22T21:21:50.177000-07:00", "Status": "ISSUED", "NotBefore": "2021-10-22T17:00:00-07:00", "NotAfter": "2022-11-23T15:59:59-08:00", "KeyAlgorithm": "RSA-2048", "SignatureAlgorithm": "SHA256WITHRSA", "InUseBy": [ "example", "example", "example", "example" ], "Type": "AMAZON_ISSUED", "RenewalSummary": { "RenewalStatus": "PENDING_VALIDATION", "DomainValidationOptions": [ { "DomainName": "*.example.com", "ValidationDomain": "*.example.com", "ValidationStatus": "SUCCESS", "ResourceRecord": { "Name": "examplename", "Type": "CNAME", "Value": "examplevalue" }, "ValidationMethod": "DNS" } ], "UpdatedAt": "2022-09-21T23:39:15.161000-07:00" }, "KeyUsages": [ { "Name": "DIGITAL_SIGNATURE" }, { "Name": "KEY_ENCIPHERMENT" } ], "ExtendedKeyUsages": [ { "Name": "TLS_WEB_SERVER_AUTHENTICATION", "OID": "1.3.6.1.5.5.7.3.1" }, { "Name": "TLS_WEB_CLIENT_AUTHENTICATION", "OID": "1.3.6.1.5.5.7.3.2" } ], "RenewalEligibility": "ELIGIBLE", "Options": { "CertificateTransparencyLoggingPreference": "ENABLED" } } } ``` Followed instructions successfully in https://aws.amazon.com/premiumsupport/knowledge-center/acm-certificate-pending-validation/ (checking cname response exactly matches what is in acm CNAME values when copy pasting) The site domain registration is in Route 53 with NS pointing to cloudflare, where DNS is managed. Is there something obvious that pops out to you? Thank you!
1
answers
0
votes
56
views
asked 15 days ago