├── NOTICE ├── .github └── PULL_REQUEST_TEMPLATE.md ├── CODE_OF_CONDUCT.md ├── bin ├── s3-deleteBucket ├── certText ├── cfn-deleteStack ├── crlText ├── certPretty ├── acm-requestCertificate ├── chainText ├── acm-pca-revokeCertificate ├── acm-pca-getCaCertificate ├── acm-getCertificate ├── acm-pca-deletePca ├── acm-pca-listPcas ├── acm-pca-getCertificate └── acm-pca-issueCertificate ├── LICENSE ├── cfn-templates ├── private-hosted-zone.yaml ├── execution-role.yaml ├── acm-pca-sub-ca.yaml └── acm-pca-root-ca.yaml ├── CONTRIBUTING.md └── README.md /NOTICE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice. 2 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | ## Code of Conduct 2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 4 | opensource-codeofconduct@amazon.com with any additional questions or comments. 5 | -------------------------------------------------------------------------------- /bin/s3-deleteBucket: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) bucket" 6 | usage() { echo -e "$USAGE" >&2; exit 2; } 7 | 8 | bucket=$1 9 | if [ -z "$bucket" ]; then 10 | usage 11 | fi 12 | 13 | aws s3 rb s3://$bucket --force 14 | -------------------------------------------------------------------------------- /bin/certText: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) cert_file" 6 | usage() { echo -e "$USAGE" >&2; exit 2; } 7 | 8 | certFile=$1 9 | if [ -z "$certFile" ]; then 10 | usage 11 | fi 12 | 13 | openssl x509 -text -noout -in $certFile 14 | -------------------------------------------------------------------------------- /bin/cfn-deleteStack: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) stack" 6 | usage() { echo -e "$USAGE" >&2; exit 2; } 7 | 8 | stack=$1 9 | if [ -z "$stack" ]; then 10 | usage 11 | fi 12 | 13 | aws cloudformation delete-stack --stack-name $stack 14 | -------------------------------------------------------------------------------- /bin/crlText: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) crl_file" 6 | usage() { echo -e "$USAGE" >&2; exit 2; } 7 | 8 | crlFile=$1 9 | if [ -z "$crlFile" ]; then 10 | usage 11 | fi 12 | 13 | openssl crl -inform DER -text -noout -in $crlFile 14 | -------------------------------------------------------------------------------- /bin/certPretty: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) cert-joint-in-one-line" 6 | usage() { echo -e "$USAGE" >&2; exit 2; } 7 | 8 | if [ "$#" -lt 1 ]; then 9 | usage 10 | fi 11 | 12 | while test -n "$1"; do 13 | if [ "${1#-----}" != "$1" ]; then 14 | # ----- on left 15 | echo -n "$1 " 16 | else 17 | echo "$1" 18 | fi 19 | shift 20 | done 21 | -------------------------------------------------------------------------------- /bin/acm-requestCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) pca_arn domain 6 | Request a certificate from ACM, i.e., Certificate ARN starting with arn:aws:acm:" 7 | usage() { echo -e "$USAGE" >&2; exit 2; } 8 | 9 | pca=$1 10 | domain=$2 11 | if [ -z "$domain" -o -z "$pca" ]; then 12 | usage 13 | fi 14 | 15 | aws acm request-certificate --certificate-authority-arn $pca --domain-name $domain 16 | -------------------------------------------------------------------------------- /bin/chainText: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) [-a] chain_file\n\ 6 | \t-a Show all details of each certificate in the bundle (instead of a summary)" 7 | usage() { echo -e "$USAGE" >&2; exit 2; } 8 | 9 | textFlag="" 10 | while getopts "a" arg; do 11 | case "$arg" in 12 | a) textFlag="-text";; 13 | esac 14 | done 15 | shift $((OPTIND-1)) 16 | 17 | chainFile=$1 18 | if [ -z "$chainFile" ]; then 19 | usage 20 | fi 21 | 22 | openssl crl2pkcs7 -nocrl -certfile $chainFile | 23 | openssl pkcs7 -print_certs -noout $textFlag 24 | -------------------------------------------------------------------------------- /bin/acm-pca-revokeCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) pca_arn reason serial_of_cert\n\ 6 | Revoke a certificate issued by a Private CA, i.e., Certificate ARN starting with arn:aws:acm-pca:\n\ 7 | Reason is one of: 8 | \tAFFILIATION_CHANGED\n\ 9 | \tCESSATION_OF_OPERATION\n\ 10 | \tA_A_COMPROMISE\n\ 11 | \tPRIVILEGE_WITHDRAWN\n\ 12 | \tSUPERSEDED\n\ 13 | \tUNSPECIFIED\n\ 14 | \tKEY_COMPROMISE\n\ 15 | \tCERTIFICATE_AUTHORITY_COMPROMISE" 16 | usage() { echo -e "$USAGE" >&2; exit 2; } 17 | 18 | pca=$1 19 | reason=$2 20 | serial=$3 21 | if [ -z "$pca" -o -z "$reason" -o -z "$serial" ]; then 22 | usage 23 | fi 24 | 25 | aws acm-pca revoke-certificate --certificate-authority-arn $pca --revocation-reason $reason --certificate-serial $serial 26 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 2 | 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of 4 | this software and associated documentation files (the "Software"), to deal in 5 | the Software without restriction, including without limitation the rights to 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 7 | the Software, and to permit persons to whom the Software is furnished to do so. 8 | 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 15 | 16 | -------------------------------------------------------------------------------- /bin/acm-pca-getCaCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) [-acj] pca_arn\n\ 6 | Get the Private CA certificate\n\ 7 | \t-a Include Arn in the output\n\ 8 | \t-c Get the chain instead\n\ 9 | \t-j Get the full JSON with Chain\n\ 10 | If multiple options are specified, only the last one will be effective." 11 | usage() { echo -e "$USAGE" >&2; exit 2; } 12 | 13 | outputType= 14 | while getopts "acj" arg; do 15 | case "$arg" in 16 | a) outputType=arn;; 17 | c) outputType=chain;; 18 | j) outputType=json;; 19 | esac 20 | done 21 | shift $((OPTIND-1)) 22 | 23 | pca=$1 24 | if [ -z "$pca" ]; then 25 | usage 26 | fi 27 | 28 | aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $pca | 29 | case "$outputType" in 30 | arn) ( echo "{\"Arn\": \"$pca\"}"; cat ) | jq -s add;; 31 | chain) jq -r '(.CertificateChain)';; 32 | json) jq .;; 33 | *) jq -r '(.Certificate)';; 34 | esac 35 | -------------------------------------------------------------------------------- /bin/acm-getCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) [-acj] cert_arn\n\ 6 | Get a certificate issued by ACM, i.e., Certificate ARN starting with arn:aws:acm:\n\ 7 | \t-a Include Arn in the output\n\ 8 | \t-c Get the chain instead\n\ 9 | \t-j Get the full JSON with Chain\n\ 10 | If multiple options are specified, only the last one will be effective." 11 | usage() { echo -e "$USAGE" >&2; exit 2; } 12 | 13 | outputType= 14 | while getopts "acj" arg; do 15 | case "$arg" in 16 | a) outputType=arn;; 17 | c) outputType=chain;; 18 | j) outputType=json;; 19 | esac 20 | done 21 | shift $((OPTIND-1)) 22 | 23 | cert=$1 24 | if [ -z "$cert" ]; then 25 | usage 26 | fi 27 | 28 | aws acm get-certificate --certificate-arn $cert | 29 | case "$outputType" in 30 | arn) ( echo "{\"Arn\": \"$cert\"}"; cat ) | jq -s add;; 31 | chain) jq -r '(.CertificateChain)';; 32 | json) jq .;; 33 | *) jq -r '(.Certificate)';; 34 | esac 35 | -------------------------------------------------------------------------------- /cfn-templates/private-hosted-zone.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: "2010-09-09" 3 | Description: |- 4 | Private Hosted Zone (PHZ) creation template 5 | Note: 6 | If the PHZ is associated with multiple VPCs or outside of the region where the stack is created 7 | expand the VpcId to a list. e.g., 8 | - VPCId: ... 9 | VPCRegion: ... 10 | - VPCId: ... 11 | VPCRegion: ... 12 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 13 | # SPDX-License-Identifier: MIT-0 14 | 15 | Parameters: 16 | DomainName: 17 | Description: Domain Name of the Private Hosted Zone, e.g., example.int 18 | Type: String 19 | 20 | VPCId: 21 | Description: VPC ID associated with the Private Hosted Zone 22 | Type: AWS::EC2::VPC::Id 23 | 24 | Resources: 25 | PrivateHostedZone: 26 | Type: AWS::Route53::HostedZone 27 | Properties: 28 | Name: !Ref DomainName 29 | VPCs: 30 | - VPCId: !Ref VPCId 31 | VPCRegion: !Sub "${AWS::Region}" 32 | 33 | Outputs: 34 | DomainName: 35 | Value: !Ref DomainName 36 | 37 | PrivateHostedZoneId: 38 | Value: !Ref PrivateHostedZone 39 | -------------------------------------------------------------------------------- /bin/acm-pca-deletePca: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | # Defaults 6 | deleteInDays=7 7 | 8 | USAGE="Usage: $(basename $0) [-d delete_in_days:$deleteInDays] pca_arn" 9 | usage() { echo -e "$USAGE" >&2; exit 2; } 10 | 11 | while getopts "d:" arg; do 12 | case "$arg" in 13 | d) deleteInDays=$OPTARG;; 14 | esac 15 | done 16 | shift $((OPTIND-1)) 17 | 18 | pca=$1 19 | if [ -z "$pca" ]; then 20 | usage 21 | fi 22 | 23 | getPcaStatus() { aws acm-pca describe-certificate-authority --certificate-authority-arn $1 | jq -r ".CertificateAuthority.Status"; } 24 | 25 | pcaStatus=$(getPcaStatus $pca) 26 | echo Private CA: $pca 27 | echo Old Status: $pcaStatus 28 | 29 | if [ "$pcaStatus" == "ACTIVE" ]; then 30 | echo Action: Disable now 31 | aws acm-pca update-certificate-authority --status DISABLED --certificate-authority-arn $pca || exit 1 32 | fi 33 | aws acm-pca delete-certificate-authority --permanent-deletion-time-in-days $deleteInDays --certificate-authority-arn $pca || exit 1 34 | 35 | echo New Status: $(getPcaStatus $pca) 36 | echo Action: To be deleted in $deleteInDays days 37 | -------------------------------------------------------------------------------- /bin/acm-pca-listPcas: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) [-?aj] fld ...\n\ 6 | List ARNs of all undeleted CAs\n\ 7 | \tfld ... List ARNs of all undeleted CAs with specified fields (comma-delimited), ignored if -j is used\n\ 8 | \t-a List all CAs including deleted ones\n\ 9 | \t-j List CAs in JSON (fld list ignored)\n\ 10 | \t-? Show this help text" 11 | usage() { echo -e "$USAGE" >&2; exit 2; } 12 | 13 | allCAs= 14 | outputType= 15 | while getopts "?aj" arg; do 16 | case "$arg" in 17 | \?) usage;; 18 | a) allCAs=true;; 19 | j) outputType=json;; 20 | esac 21 | done 22 | shift $((OPTIND-1)) 23 | 24 | flds=.Arn 25 | while [ -n "$1" ]; do 26 | flds="${flds} + \",\" + .$1" 27 | shift 28 | done 29 | 30 | jqFlags= 31 | jqFilters= 32 | if [ "$allCAs" != "true" ]; then 33 | jqFilters="$jqFilters | select(.Status != \"DELETED\")" 34 | fi 35 | jqFLds= 36 | if [ "$outputType" != "json" ]; then 37 | jqFilters="$jqFilters | $flds" 38 | jqFlags=-r 39 | fi 40 | 41 | aws acm-pca list-certificate-authorities | 42 | jq $jqFlags ".CertificateAuthorities[]$jqFilters" 43 | -------------------------------------------------------------------------------- /bin/acm-pca-getCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | USAGE="Usage: $(basename $0) [-acj] cert_arn [pca_arn]\n\ 6 | Get a certificate issued by a Private CA, i.e., Certificate ARN starting with arn:aws:acm-pca:\n\ 7 | Note 1: Certificates issued by a Private CA are not listed on ACM Console. 8 | Note 2: If pca_arn is not specified, it will be derived from the cert_arn. 9 | \t-a Include Arn in the output\n\ 10 | \t-c Get the chain instead\n\ 11 | \t-j Get the full JSON with Chain\n\ 12 | If multiple options are specified, only the last one will be effective." 13 | usage() { echo -e "$USAGE" >&2; exit 2; } 14 | 15 | outputType= 16 | while getopts "acj" arg; do 17 | case "$arg" in 18 | a) outputType=arn;; 19 | c) outputType=chain;; 20 | j) outputType=json;; 21 | esac 22 | done 23 | shift $((OPTIND-1)) 24 | 25 | cert=$1 26 | pca=$2 27 | if [ -z "$cert" ]; then 28 | usage 29 | fi 30 | if [ -z "$pca" ]; then 31 | pca=${cert%/certificate/*} 32 | echo PCA Derived 33 | echo $pca 34 | fi 35 | 36 | aws acm-pca get-certificate --certificate-authority-arn $pca --certificate-arn $cert | 37 | case "$outputType" in 38 | arn) ( echo "{\"Arn\": \"$cert\"}"; cat ) | jq -s add;; 39 | chain) jq -r '(.CertificateChain)';; 40 | json) jq .;; 41 | *) jq -r '(.Certificate)';; 42 | esac 43 | -------------------------------------------------------------------------------- /cfn-templates/execution-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: "2010-09-09" 3 | Description: ACM Private CA and CRL S3 execution role 4 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 5 | # SPDX-License-Identifier: MIT-0 6 | 7 | Parameters: 8 | RoleName: 9 | Description: CloudFormation Execution Role Name 10 | Type: String 11 | AllowedPattern: "^[A-Za-z0-9_+=,\\.@-]{1,64}" 12 | 13 | Resources: 14 | ExecutionRoleAcmPcaPolicy: 15 | Type: AWS::IAM::ManagedPolicy 16 | Properties: 17 | Description: ACM Private CA and CRL S3 execution role policy 18 | ManagedPolicyName: !Sub "${RoleName}-policy" 19 | PolicyDocument: 20 | Version: "2012-10-17" 21 | Statement: 22 | - Sid: AllowAcmPca 23 | Effect: Allow 24 | Action: acm-pca:* 25 | Resource: "*" 26 | - Sid: AllowS3 27 | Effect: Allow 28 | Action: s3:* 29 | Resource: "*" 30 | - Sid: AllowRoute53 31 | Effect: Allow 32 | Action: route53:* 33 | Resource: "*" 34 | - Sid: AllowVPC 35 | Effect: Allow 36 | Action: ec2:DescribeVpcs 37 | Resource: "*" 38 | - Sid: AllowIam 39 | Effect: Allow 40 | Action: iam:* 41 | Resource: "*" 42 | - Sid: AllowLambda 43 | Effect: Allow 44 | Action: lambda:* 45 | Resource: "*" 46 | - Sid: AllowCfn 47 | Effect: Allow 48 | Action: cloudformation:* 49 | Resource: "*" 50 | 51 | ExecutionRoleAcmPca: 52 | Type: AWS::IAM::Role 53 | Properties: 54 | RoleName: !Ref RoleName 55 | AssumeRolePolicyDocument: 56 | Statement: 57 | - Effect: Allow 58 | Sid: AssumeRole 59 | Action: sts:AssumeRole 60 | Principal: 61 | Service: cloudformation.amazonaws.com 62 | ManagedPolicyArns: 63 | - !Ref ExecutionRoleAcmPcaPolicy 64 | 65 | Outputs: 66 | ExecutionRole: 67 | Value: !Ref ExecutionRoleAcmPca 68 | -------------------------------------------------------------------------------- /bin/acm-pca-issueCertificate: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 3 | # SPDX-License-Identifier: MIT-0 4 | 5 | # Defaults 6 | subj= 7 | signAlgo=SHA512WITHRSA 8 | validity=13m 9 | keyLen=4096 10 | mdHash=sha256 11 | 12 | validityExample="$validity (default), 10y, 365d etc" 13 | subjPrefix="/C=AU/ST=NSW/L=Sydney/O=My Organisation/OU=My Organisational Unit/CN=" 14 | 15 | USAGE="Usage: $(basename $0) [-s subject] [-v validity] [-a signAlgo] [-k keyLen] [-m messageDigest] pca_arn domain\n\ 16 | Issue a certificate signed by a Private CA, i.e., Certificate ARN starting with arn:aws:acm-pca:\n\ 17 | Note 1: Certificates issued by a Private CA are not listed on ACM Console. 18 | Note 2: Two files will be generated: .key and .csr 19 | \t-? Show this help text\n\ 20 | \tpca_arn ARN of Private CA used to issue the certificate\n\ 21 | \tdomain Common Name (CN) in the certificate Subject\n\ 22 | \t-v validity Validity of the certificate; e.g., $validityExample\n\ 23 | \t-s subject Full Subject of the certificate; default ${subjPrefix}\n\ 24 | \t-a signAlgo Signing algorithm; default $signAlgo\n\ 25 | Settings for openssl 26 | \t-k keyLen Key Length; default $keyLen\n\ 27 | \t-m md Message digest to sign the request with: md1, sha1, sha256; default $mdHash" 28 | 29 | usage() { echo -e "$USAGE" >&2; exit 2; } 30 | 31 | while getopts "s:v:a:k:m:" arg; do 32 | case "$arg" in 33 | s) subj=$OPTARG;; 34 | v) validity=$OPTARG;; 35 | a) signAlgo=$OPTARG;; 36 | k) keyLen=$OPTARG;; 37 | m) mdHash=$OPTARG;; 38 | esac 39 | done 40 | shift $((OPTIND-1)) 41 | 42 | pca=$1 43 | domain=$2 44 | subj=${subj:-${subjPrefix}${domain}} 45 | 46 | validityValue=${validity%?} 47 | validityType= 48 | 49 | case "${validity#$validityValue}" in 50 | d) validityType=DAYS;; 51 | m) validityType=MONTHS;; 52 | y) validityType=YEARS;; 53 | esac 54 | 55 | if [ -z "$pca" -o -z "$domain" -o -z "$validityType" ]; then 56 | usage 57 | fi 58 | 59 | validity="{\"Type\":\"${validityType}\",\"Value\":${validityValue}}" 60 | 61 | tmpB64=$(mktemp) 62 | trap "rm -f $tmpB64" EXIT 63 | 64 | openssl genrsa -out ${domain}.key $keyLen || exit 1 65 | openssl req -new -key ${domain}.key -$mdHash -nodes -subj "${subj}" > ${domain}.csr || exit 1 66 | base64 ${domain}.csr > $tmpB64 || exit 1 67 | aws acm-pca issue-certificate --certificate-authority-arn $pca --csr file://$tmpB64 --signing-algorithm $signAlgo --validity "$validity" 68 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing Guidelines 2 | 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional 4 | documentation, we greatly value feedback and contributions from our community. 5 | 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary 7 | information to effectively respond to your bug report or contribution. 8 | 9 | 10 | ## Reporting Bugs/Feature Requests 11 | 12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features. 13 | 14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already 15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful: 16 | 17 | * A reproducible test case or series of steps 18 | * The version of our code being used 19 | * Any modifications you've made relevant to the bug 20 | * Anything unusual about your environment or deployment 21 | 22 | 23 | ## Contributing via Pull Requests 24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that: 25 | 26 | 1. You are working against the latest source on the *main* branch. 27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already. 28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted. 29 | 30 | To send us a pull request, please: 31 | 32 | 1. Fork the repository. 33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change. 34 | 3. Ensure local tests pass. 35 | 4. Commit to your fork using clear commit messages. 36 | 5. Send us a pull request, answering any default questions in the pull request interface. 37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation. 38 | 39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and 40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/). 41 | 42 | 43 | ## Finding contributions to work on 44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start. 45 | 46 | 47 | ## Code of Conduct 48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 50 | opensource-codeofconduct@amazon.com with any additional questions or comments. 51 | 52 | 53 | ## Security issue notifications 54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue. 55 | 56 | 57 | ## Licensing 58 | 59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution. 60 | -------------------------------------------------------------------------------- /cfn-templates/acm-pca-sub-ca.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: "2010-09-09" 3 | Description: Private Subordinate Certificate Authority (CA) creation template 4 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 5 | # SPDX-License-Identifier: MIT-0 6 | 7 | Parameters: 8 | CaValidityValue: 9 | Description: Private Subordinate CA validity value; default is 3 10 | Type: Number 11 | Default: 3 12 | 13 | CaValidityType: 14 | Description: Private Subordinate CA validity time unit; default is YEARS 15 | Type: String 16 | AllowedValues: ["YEARS", "MONTHS", "DAYS"] 17 | Default: "YEARS" 18 | 19 | CaCommonName: 20 | Description: Common Name (CN) of the private Subordinate CA, e.g., Example Human Resources CA v1 21 | Type: String 22 | 23 | CaSubjectCountry: 24 | Description: Country in the private Subordinate CA Certificate Subject, e.g., AU 25 | Type: String 26 | 27 | CaSubjectState: 28 | Description: State in the private Subordinate CA Certificate Subject, e.g., New South Wales 29 | Type: String 30 | 31 | CaSubjectLocality: 32 | Description: Locality in the private Subordinate CA Certificate Subject, e.g., Sydney 33 | Type: String 34 | 35 | CaSubjectOrganization: 36 | Description: Organization in the private Subordinate CA Certificate Subject, e.g., Example Ltd 37 | Type: String 38 | 39 | CaSubjectOrganizationalUnit: 40 | Description: Organizational Unit (OU) in the private Subordinate CA Certificate Subject, e.g., Human Resources 41 | Type: String 42 | 43 | CaKeyAlgorithm: 44 | Description: Key Algorithm of the key pair the private Subordinate CA creates when issuing a certificate; default is RSA_4096 45 | Type: String 46 | AllowedValues: ["RSA_2048", "RSA_4096", "EC_prime256v1", "EC_secp384r1"] 47 | Default: "RSA_4096" 48 | 49 | CaSigningAlgorithm: 50 | Description: Signing Algorithm the private Subordinate CA uses to sign certificate requests; default is SHA512WITHRSA 51 | Type: String 52 | AllowedValues: 53 | [ 54 | "SHA256WITHECDSA", 55 | "SHA384WITHECDSA", 56 | "SHA512WITHECDSA", 57 | "SHA256WITHRSA", 58 | "SHA384WITHRSA", 59 | "SHA512WITHRSA", 60 | ] 61 | Default: "SHA512WITHRSA" 62 | 63 | CaChainS3BucketName: 64 | Description: > 65 | Existing S3 Bucket for CloudFormation to hold the CA Chain and Template snippet; 66 | Type: String 67 | AllowedPattern: >- 68 | ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 69 | 70 | CertifyingCaArn: 71 | Description: ARN of the parent CA, i.e., the CA certifying the new Subordinate CA in activation 72 | Type: String 73 | AllowedPattern: >- 74 | ^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$ 75 | 76 | SubCaPathLen: 77 | Description: > 78 | How many levels of Subordinate CAs can be certified under this new Subordinate CA; default is 0 (no Subordinate CAs under this) 79 | Type: Number 80 | AllowedValues: [0, 1, 2, 3] 81 | Default: 0 82 | 83 | CrlExpirationInDays: 84 | Description: CRL Expiration in Days, e.g., 2 85 | Type: Number 86 | Default: 2 87 | 88 | CrlCname: 89 | Description: > 90 | CRL Canonical Name (Cname), e.g., crl.pca.example.int 91 | (a globally unique name even privately hosted, as the CRL hosting S3 bucket needs to have a globally unique name) 92 | Type: String 93 | AllowedPattern: >- 94 | ^[a-z0-9][a-z0-9-\.]{2,62}$ 95 | # Needs to align with S3 bucket naming pattern instead of the FQDN one: "^(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$" 96 | 97 | CrlCnameIsNew: 98 | Description: > 99 | Is the CRL Cname new? 100 | Select YES if you want to create a new CRL Cname, or 101 | NO if the specified CRL Cname already exists (e.g., a shared CrlCname) 102 | Type: String 103 | AllowedValues: ["YES", "NO"] 104 | Default: "YES" 105 | 106 | CrlPrivateZoneId: 107 | Description: CRL Private Zone ID, i.e., the Zone ID of the Private Zone where CrlCname is hosted. 108 | Type: AWS::Route53::HostedZone::Id 109 | 110 | Conditions: 111 | crlNew: !Equals 112 | - !Ref CrlCnameIsNew 113 | - "YES" 114 | 115 | Resources: 116 | ############################################################ 117 | # 118 | # Sub CA 119 | # 120 | SubCa: 121 | Type: AWS::ACMPCA::CertificateAuthority 122 | DependsOn: CrlS3BucketPolicy 123 | Properties: 124 | Type: "SUBORDINATE" 125 | Subject: 126 | CommonName: !Ref CaCommonName 127 | Country: !Ref CaSubjectCountry 128 | Locality: !Ref CaSubjectLocality 129 | Organization: !Ref CaSubjectOrganization 130 | OrganizationalUnit: !Ref CaSubjectOrganizationalUnit 131 | State: !Ref CaSubjectState 132 | RevocationConfiguration: 133 | CrlConfiguration: 134 | CustomCname: !Ref CrlCname 135 | Enabled: true 136 | ExpirationInDays: !Ref CrlExpirationInDays 137 | S3BucketName: !Ref CrlS3Bucket 138 | KeyAlgorithm: !Ref CaKeyAlgorithm 139 | SigningAlgorithm: !Ref CaSigningAlgorithm 140 | UpdateReplacePolicy: Retain 141 | DeletionPolicy: Retain 142 | 143 | SubCaCert: 144 | Type: AWS::ACMPCA::Certificate 145 | Properties: 146 | TemplateArn: !Sub "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen${SubCaPathLen}/V1" 147 | CertificateAuthorityArn: !Ref CertifyingCaArn 148 | CertificateSigningRequest: !GetAtt SubCa.CertificateSigningRequest 149 | SigningAlgorithm: !Ref CaSigningAlgorithm 150 | Validity: 151 | Type: !Ref CaValidityType 152 | Value: !Ref CaValidityValue 153 | 154 | SubCaCertActivation: 155 | Type: AWS::ACMPCA::CertificateAuthorityActivation 156 | Properties: 157 | Certificate: !GetAtt SubCaCert.Certificate 158 | CertificateAuthorityArn: !GetAtt SubCa.Arn 159 | Fn::Transform: 160 | Name: AWS::Include 161 | Parameters: 162 | Location: !Join 163 | - "" 164 | - - "s3://" 165 | - !Ref CaChainS3BucketName 166 | - "/pca/" 167 | - !Select [1, !Split ["/", !Ref CertifyingCaArn]] 168 | - "-cfn.yaml" 169 | 170 | ############################################################ 171 | # 172 | # CRL Related Resources (Common code for Subordinate CA creation) 173 | # 174 | 175 | # Unconditional (even crlNew is False) to satisfy SubCa dependency 176 | CrlS3BucketPolicy: 177 | Type: AWS::S3::BucketPolicy 178 | Properties: 179 | Bucket: !Ref CrlS3Bucket 180 | PolicyDocument: 181 | Statement: 182 | - Effect: Allow 183 | Principal: 184 | Service: acm-pca.amazonaws.com 185 | Action: 186 | - s3:GetObject* 187 | - s3:GetBucket* 188 | - s3:List* 189 | - s3:PutObject 190 | - s3:PutObjectAcl 191 | Resource: 192 | - !Sub "arn:aws:s3:::${CrlS3Bucket}" 193 | - !Sub "arn:aws:s3:::${CrlS3Bucket}/*" 194 | Condition: 195 | StringEquals: 196 | "AWS:SourceAccount": !Ref "AWS::AccountId" 197 | - Effect: Allow 198 | Principal: 199 | AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" 200 | Action: s3:* 201 | Resource: 202 | - !Sub "arn:aws:s3:::${CrlS3Bucket}/*" 203 | - !Sub "arn:aws:s3:::${CrlS3Bucket}" 204 | Condition: 205 | StringEquals: 206 | "AWS:SourceAccount": !Ref "AWS::AccountId" 207 | 208 | CrlS3Bucket: 209 | Type: AWS::S3::Bucket 210 | Condition: crlNew 211 | Properties: 212 | BucketName: !Ref CrlCname 213 | BucketEncryption: 214 | ServerSideEncryptionConfiguration: 215 | - ServerSideEncryptionByDefault: 216 | SSEAlgorithm: AES256 217 | WebsiteConfiguration: 218 | IndexDocument: index.crl # Dummy value 219 | VersioningConfiguration: 220 | Status: Enabled 221 | DeletionPolicy: Retain 222 | 223 | CaCrlCname: 224 | Type: AWS::Route53::RecordSet 225 | Condition: crlNew 226 | Properties: 227 | HostedZoneId: !Ref CrlPrivateZoneId 228 | Name: !Ref CrlCname 229 | ResourceRecords: 230 | - !Sub "${CrlCname}.s3-website-${AWS::Region}.amazonaws.com" 231 | TTL: 900 232 | Type: CNAME 233 | DeletionPolicy: Retain 234 | 235 | ############################################################ 236 | # 237 | # CA Chain Upload 238 | # 239 | CaChainLambdaInvoke: 240 | Type: AWS::CloudFormation::CustomResource 241 | Version: "1.0" 242 | DependsOn: SubCaCertActivation 243 | Properties: 244 | ServiceToken: !ImportValue CaChainLambdaArn 245 | FunctionName: index.handler 246 | CaArn: !GetAtt SubCa.Arn 247 | 248 | Outputs: 249 | SubCaArn: 250 | Value: !GetAtt SubCa.Arn 251 | 252 | SubCaCertCert: 253 | Value: !GetAtt SubCaCert.Certificate 254 | 255 | CrlS3BucketRef: 256 | Condition: crlNew 257 | Value: !Ref CrlS3Bucket 258 | 259 | CaCrlCnameRef: 260 | Condition: crlNew 261 | Value: !Ref CaCrlCname 262 | -------------------------------------------------------------------------------- /cfn-templates/acm-pca-root-ca.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | AWSTemplateFormatVersion: "2010-09-09" 3 | Description: Private Root Certificate Authority (CA) creation template 4 | # Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 5 | # SPDX-License-Identifier: MIT-0 6 | 7 | Parameters: 8 | CaValidityValue: 9 | Description: Private Root CA validity value; default is 10 10 | Type: Number 11 | Default: 10 12 | 13 | CaValidityType: 14 | Description: Private Root CA validity time unit; default is YEARS 15 | Type: String 16 | AllowedValues: ["YEARS", "MONTHS", "DAYS"] 17 | Default: "YEARS" 18 | 19 | CaCommonName: 20 | Description: Common Name (CN) of the private Root CA, e.g., Example Ltd Root CA v1 21 | Type: String 22 | 23 | CaSubjectCountry: 24 | Description: Country in the private Root CA Certificate Subject, e.g., AU 25 | Type: String 26 | 27 | CaSubjectLocality: 28 | Description: Locality in the private Root CA Certificate Subject, e.g., Sydney 29 | Type: String 30 | 31 | CaSubjectState: 32 | Description: State in the private Root CA Certificate Subject, e.g., New South Wales 33 | Type: String 34 | 35 | CaSubjectOrganization: 36 | Description: Organization in the private Root CA Certificate Subject, e.g., Example Ltd 37 | Type: String 38 | 39 | CaSubjectOrganizationalUnit: 40 | Description: Organizational Unit (OU) in the private Root CA Certificate Subject, e.g., Enterprise Cloud 41 | Type: String 42 | 43 | CaKeyAlgorithm: 44 | Description: Key Algorithm of the key pair the private Root CA creates when issuing a certificate; default is RSA_4096 45 | Type: String 46 | AllowedValues: ["RSA_2048", "RSA_4096", "EC_prime256v1", "EC_secp384r1"] 47 | Default: "RSA_4096" 48 | 49 | CaSigningAlgorithm: 50 | Description: Signing Algorithm the private Root CA uses to sign certificate requests; default is SHA512WITHRSA 51 | Type: String 52 | AllowedValues: 53 | [ 54 | "SHA256WITHECDSA", 55 | "SHA384WITHECDSA", 56 | "SHA512WITHECDSA", 57 | "SHA256WITHRSA", 58 | "SHA384WITHRSA", 59 | "SHA512WITHRSA", 60 | ] 61 | Default: "SHA512WITHRSA" 62 | 63 | CaChainS3BucketName: 64 | Description: > 65 | S3 Bucket to be created for CloudFormation to hold the CA Chain and Template snippet; 66 | Type: String 67 | AllowedPattern: >- 68 | ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ 69 | 70 | CrlExpirationInDays: 71 | Description: CRL Expiration in Days, e.g., 2 72 | Type: Number 73 | Default: 2 74 | 75 | CrlCname: 76 | Description: > 77 | CRL Canonical Name (Cname), e.g., crl.pca.example.int 78 | (a globally unique name even privately hosted, as the CRL hosting S3 bucket needs to have a globally unique name) 79 | Type: String 80 | AllowedPattern: >- 81 | ^[a-z0-9][a-z0-9-\.]{2,62}$ 82 | # Needs to align with S3 bucket naming pattern instead of the FQDN one: "^(((?!-)[A-Za-z0-9-]{0,62}[A-Za-z0-9])\.)+((?!-)[A-Za-z0-9-]{1,62}[A-Za-z0-9])$" 83 | 84 | CrlPrivateZoneId: 85 | Description: CRL Private Zone ID, i.e., the Zone ID of the Private Zone where CrlCname is hosted. 86 | Type: AWS::Route53::HostedZone::Id 87 | 88 | Resources: 89 | ############################################################ 90 | # 91 | # Root CA 92 | # 93 | RootCa: 94 | Type: AWS::ACMPCA::CertificateAuthority 95 | DependsOn: CrlS3BucketPolicy 96 | Properties: 97 | Type: "ROOT" 98 | Subject: 99 | CommonName: !Ref CaCommonName 100 | Country: !Ref CaSubjectCountry 101 | Locality: !Ref CaSubjectLocality 102 | Organization: !Ref CaSubjectOrganization 103 | OrganizationalUnit: !Ref CaSubjectOrganizationalUnit 104 | State: !Ref CaSubjectState 105 | RevocationConfiguration: 106 | CrlConfiguration: 107 | CustomCname: !Ref CaCrlCname 108 | Enabled: true 109 | ExpirationInDays: !Ref CrlExpirationInDays 110 | S3BucketName: !Ref CrlS3Bucket 111 | KeyAlgorithm: !Ref CaKeyAlgorithm 112 | SigningAlgorithm: !Ref CaSigningAlgorithm 113 | UpdateReplacePolicy: Retain 114 | DeletionPolicy: Retain 115 | 116 | RootCaCert: 117 | Type: AWS::ACMPCA::Certificate 118 | Properties: 119 | TemplateArn: arn:aws:acm-pca:::template/RootCACertificate/V1 120 | CertificateAuthorityArn: !GetAtt RootCa.Arn 121 | CertificateSigningRequest: !GetAtt RootCa.CertificateSigningRequest 122 | SigningAlgorithm: !Ref CaSigningAlgorithm 123 | Validity: 124 | Type: !Ref CaValidityType 125 | Value: !Ref CaValidityValue 126 | 127 | RootCaCertActivation: 128 | Type: AWS::ACMPCA::CertificateAuthorityActivation 129 | Properties: 130 | Certificate: !GetAtt RootCaCert.Certificate 131 | CertificateAuthorityArn: !GetAtt RootCa.Arn 132 | 133 | ############################################################ 134 | # 135 | # CRL Related Resources (Common code for Subordinate CA creation) 136 | # 137 | CrlS3BucketPolicy: 138 | Type: AWS::S3::BucketPolicy 139 | Properties: 140 | Bucket: !Ref CrlS3Bucket 141 | PolicyDocument: 142 | Statement: 143 | - Effect: Allow 144 | Principal: 145 | Service: acm-pca.amazonaws.com 146 | Action: 147 | - s3:GetObject* 148 | - s3:GetBucket* 149 | - s3:List* 150 | - s3:PutObject 151 | - s3:PutObjectAcl 152 | Resource: 153 | - !Sub "arn:aws:s3:::${CrlS3Bucket}" 154 | - !Sub "arn:aws:s3:::${CrlS3Bucket}/*" 155 | Condition: 156 | StringEquals: 157 | "AWS:SourceAccount": !Ref "AWS::AccountId" 158 | - Effect: Allow 159 | Principal: 160 | AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" 161 | Action: s3:* 162 | Resource: 163 | - !Sub "arn:aws:s3:::${CrlS3Bucket}/*" 164 | - !Sub "arn:aws:s3:::${CrlS3Bucket}" 165 | Condition: 166 | StringEquals: 167 | "AWS:SourceAccount": !Ref "AWS::AccountId" 168 | 169 | CrlS3Bucket: 170 | Type: AWS::S3::Bucket 171 | Properties: 172 | BucketName: !Ref CrlCname 173 | BucketEncryption: 174 | ServerSideEncryptionConfiguration: 175 | - ServerSideEncryptionByDefault: 176 | SSEAlgorithm: AES256 177 | WebsiteConfiguration: 178 | IndexDocument: index.crl # Dummy value 179 | VersioningConfiguration: 180 | Status: Enabled 181 | DeletionPolicy: Retain 182 | 183 | CaCrlCname: 184 | Type: AWS::Route53::RecordSet 185 | Properties: 186 | HostedZoneId: !Ref CrlPrivateZoneId 187 | Name: !Ref CrlCname 188 | ResourceRecords: 189 | - !Sub "${CrlCname}.s3-website-${AWS::Region}.amazonaws.com" 190 | TTL: 900 191 | Type: CNAME 192 | DeletionPolicy: Retain 193 | 194 | ############################################################ 195 | # 196 | # CA Chain Related Resources (Pre-requisites for Subordinate CA creation) 197 | # 198 | CaChainS3Bucket: 199 | Type: AWS::S3::Bucket 200 | Properties: 201 | BucketName: !Ref CaChainS3BucketName 202 | BucketEncryption: 203 | ServerSideEncryptionConfiguration: 204 | - ServerSideEncryptionByDefault: 205 | SSEAlgorithm: AES256 206 | VersioningConfiguration: 207 | Status: Enabled 208 | DeletionPolicy: Retain 209 | 210 | CaChainS3BucketPolicy: 211 | Type: AWS::S3::BucketPolicy 212 | Properties: 213 | Bucket: !Ref CaChainS3Bucket 214 | PolicyDocument: 215 | Statement: 216 | - Effect: Allow 217 | Principal: 218 | AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root" 219 | Action: s3:* 220 | Resource: 221 | - !Sub "arn:aws:s3:::${CaChainS3Bucket}/*" 222 | - !Sub "arn:aws:s3:::${CaChainS3Bucket}" 223 | Condition: 224 | StringEquals: 225 | "AWS:SourceAccount": !Ref "AWS::AccountId" 226 | 227 | CaChainLambda: 228 | Type: AWS::Lambda::Function 229 | Properties: 230 | Description: Lambda function to return the CA Chain 231 | Code: 232 | ZipFile: !Sub | 233 | import boto3 234 | import sys 235 | import os 236 | import re 237 | import json 238 | import cfnresponse 239 | 240 | def handler(event, context): 241 | print(json.dumps(event)) 242 | if 'RequestType' in event and event['RequestType'] == 'Delete': 243 | cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) 244 | 245 | try: 246 | caArn = event['ResourceProperties']['CaArn'] 247 | caId = re.sub(r"^.*/", "", caArn) 248 | 249 | client = boto3.client('acm-pca') 250 | caCertJson = client.get_certificate_authority_certificate( 251 | CertificateAuthorityArn=caArn 252 | ) 253 | print(json.dumps(caCertJson)) 254 | caCert = '' 255 | caChain = '' 256 | if 'Certificate' in caCertJson: 257 | caCert = caCertJson['Certificate'] + '\n' 258 | if 'CertificateChain' in caCertJson: 259 | caChain = caCertJson['CertificateChain'] + '\n' 260 | caCertChain = caCert + caChain 261 | objPrefix = 'pca/' + caId 262 | 263 | s3 = boto3.client('s3') 264 | s3.put_object( 265 | Bucket=os.environ['CaChainS3Bucket'], 266 | Body=caCertChain, 267 | Key=objPrefix + '-chain.pem', 268 | ) 269 | s3.put_object( 270 | Bucket=os.environ['CaChainS3Bucket'], 271 | Body='CertificateChain: |\n ' + caCertChain.strip().replace('\n', '\n ') + '\n', 272 | Key=objPrefix + '-cfn.yaml', 273 | ) 274 | 275 | # 4k limit in response 276 | responseData = { 277 | 'ObjectPrefix': objPrefix 278 | } 279 | print(json.dumps(responseData)) 280 | cfnresponse.send(event, context, cfnresponse.SUCCESS, responseData) 281 | 282 | except: 283 | print(f"Unexpected error: {sys.exc_info()}") 284 | cfnresponse.send(event, context, cfnresponse.SUCCESS, {}) 285 | 286 | return None 287 | Handler: index.handler 288 | Environment: 289 | Variables: 290 | CaChainS3Bucket: !Ref CaChainS3Bucket 291 | Runtime: python3.8 292 | Timeout: 30 293 | Role: !GetAtt CaChainLambdaExecutionRole.Arn 294 | 295 | CaChainLambdaExecutionRole: 296 | Type: AWS::IAM::Role 297 | Properties: 298 | AssumeRolePolicyDocument: 299 | Version: "2012-10-17" 300 | Statement: 301 | - Effect: Allow 302 | Principal: 303 | Service: 304 | - lambda.amazonaws.com 305 | Action: 306 | - sts:AssumeRole 307 | Path: "/" 308 | Policies: 309 | - PolicyName: lambda-logging 310 | PolicyDocument: 311 | Version: "2012-10-17" 312 | Statement: 313 | - Effect: Allow 314 | Action: 315 | - logs:CreateLogGroup 316 | - logs:CreateLogStream 317 | - logs:PutLogEvents 318 | Resource: arn:aws:logs:*:*:* 319 | - PolicyName: acm-pca 320 | PolicyDocument: 321 | Version: "2012-10-17" 322 | Statement: 323 | - Effect: Allow 324 | Action: 325 | - acm-pca:GetCertificateAuthorityCertificate 326 | Resource: !Sub "arn:aws:acm-pca:*:${AWS::AccountId}:certificate-authority/*" 327 | - PolicyName: s3-putobj 328 | PolicyDocument: 329 | Version: "2012-10-17" 330 | Statement: 331 | - Effect: Allow 332 | Action: s3:PutObject 333 | Resource: 334 | - !Sub "arn:aws:s3:::${CaChainS3Bucket}/pca/*" 335 | 336 | CaChainLambdaInvoke: 337 | Type: AWS::CloudFormation::CustomResource 338 | Version: "1.0" 339 | DependsOn: RootCaCertActivation 340 | Properties: 341 | ServiceToken: !GetAtt CaChainLambda.Arn 342 | FunctionName: index.handler 343 | CaArn: !GetAtt RootCa.Arn 344 | 345 | Outputs: 346 | RootCaArn: 347 | Value: !GetAtt RootCa.Arn 348 | 349 | RootCaCertCert: 350 | Value: !GetAtt RootCaCert.Certificate 351 | 352 | CrlS3BucketRef: 353 | Value: !Ref CrlS3Bucket 354 | 355 | CaCrlCnameRef: 356 | Value: !Ref CaCrlCname 357 | 358 | CaChainS3BucketRef: 359 | Value: !Ref CaChainS3Bucket 360 | Export: 361 | Name: "CaChainS3Bucket" 362 | 363 | CaChainLambdaArn: 364 | Value: !GetAtt CaChainLambda.Arn 365 | Export: 366 | Name: "CaChainLambdaArn" 367 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # AWS Certificate Manager (ACM) Private Certificate Authority (PCA) Hierarchy Deployment 2 | 3 | This is a step-by-step guide to deploy an AWS Certificate Manager (ACM) Private Certificate Authority (PCA) hierarchy, which is a pre-requisite for you to automate the issuing and renewing of private certificates for [AWS services integrated with ACM](https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html): 4 | 5 | - Elastic Load Balancing 6 | - Amazon CloudFront 7 | - AWS Elastic Beanstalk 8 | - Amazon API Gateway 9 | - AWS Nitro Enclaves (for EC2 instances connected to a Nitro Enclave) 10 | 11 | You can use AWS CloudFormation to handle ACM Private Certificate provisioning (not part of this repository). 12 | 13 | At the top of the CA (Certificate Authority) hierarchy is the Root CA, which is used to certify first-level Subordinate CAs. To create a Root CA, please use the CloudFormation template `acm-pca-root-ca.yaml`. 14 | 15 | A Subordinate CA is certified by a parent CA, which is either the Root CA or another Subordinate CA. To create a Subordinate CA, please use the CloudFormation template `acm-pca-sub-ca.yaml`. 16 | 17 | ## Prerequisites 18 | 19 | - Private Hosted Zone for the Certificate Revocation List (CRL) Cname 20 | - Each ACM PCA stores its CRL in an S3 bucket under object prefix `crl/.crl`. It is a best practice to use a Canonical Name (Cname) instead of exposing the S3 bucket, e.g., `http:///crl/.crl`. The CRL Cname record is to be created in the CRL Private Hosted Zone, e.g., `crl.example.int` created in private hosted zone `example.int`. 21 | - Note: The CRL private hosted zone does not need to be related to the domain names the private certificates are issued in. e.g., A certificate of Common Name (CN) `myapp.example.int` may have a CRL Cname being `crl.pca.corporate.com`. i.e., You may share CRL Cname across CAs. 22 | - You may use CloudFormation template `private-hosted-zone.yaml` to create a private hosted zone if you do not already have one. 23 | - Execution role (Optional) 24 | - You may use CloudFormation template `execution-role.yaml` to create the execution role with permissions required to create the ACM PCA stack. 25 | 26 | ## Step-by-step guide 27 | 28 | All CloudFormation templates are under `cfn-templates/`. 29 | 30 | ### Root CA 31 | 32 | 1. Create the Root CA stack 33 | - Open the CloudFormation console 34 | - Click "Create stack" and select "With new resources (standard)" 35 | - Select "Upload a template file" 36 | - Click "Choose file" 37 | - Upload CloudFormation template: `acm-pca-root-ca.yaml` 38 | - Click "Next" 39 | - Enter the stack details and note the following: 40 | - CaChainS3BucketName: S3 Bucket to be created for CloudFormation to hold the CA Chain and Template snippet 41 | - CaValidityValue and CaValidityType: How long the CA is valid for; Recommend to use a long period for the Root CA; default is 10 YEARS 42 | - CrlCname: CRL Canonical Name (Cname) to the CRL hosting S3 bucket (a globally unique name), e.g., crl.pca.example.int 43 | - CrlPrivateZoneId: Zone ID of the Private Hosted Zone where CrlCname is hosted 44 | - Click "Next" 45 | - Select and IAM role if required 46 | - Click "Next" 47 | - Confirm 48 | - "I acknowledge that AWS CloudFormation might create IAM resources." 49 | - Click "Create stack" 50 | 2. Wait until the stack creation is complete 51 | 3. From the Resources tab, note down `` from the "Physical ID" column of the "RootCa" row, and use it to certify first level Subordinate CAs 52 | 4. Verify the Root CA: `bin/acm-pca-listPcas Type Status CertificateAuthorityConfiguration.Subject.CommonName` 53 | 54 | ### Subordinate CA 55 | 56 | 1. Create the Subordinate CA stack 57 | - Open the CloudFormation console 58 | - Click "Create stack" and select "With new resources (standard)" 59 | - Select "Upload a template file" 60 | - Click "Choose file" 61 | - Upload CloudFormation template: `acm-pca-sub-ca.yaml` 62 | - Click "Next" 63 | - Enter the stack details and note the following: 64 | - CaChainS3BucketName: Existing S3 Bucket for CloudFormation to hold the CA Chain and Template snippet 65 | - CaValidityValue and CaValidityType: How long the CA is valid for; A subordinate CA must not outlive its parent CA; i.e., must expire before its parent CA does 66 | - CertifyingCaArn: `` 67 | - CrlCname: CRL Canonical Name (Cname) to the CRL hosting S3 bucket (a globally unique name), e.g., crl.pca.example.int 68 | - CrlCnameIsNew: Select YES if you want to create a new CRL Cname, or NO if the specified CRL Cname already exists (e.g., a shared CrlCname) 69 | - CrlPrivateZoneId: Zone ID of the Private Zone where CrlCname is hosted 70 | - SubCaPathLen: How many levels of Subordinate CAs can be certified under this new Subordinate CA; default is 0 (no Subordinate CAs under this) 71 | - Click "Next" 72 | - Select and IAM role if required 73 | - Click "Next" 74 | - Confirm 75 | - "I acknowledge that AWS CloudFormation might create IAM resources." 76 | - "I acknowledge that AWS CloudFormation might create IAM resources with custom names." 77 | - "I acknowledge that AWS CloudFormation might require the following capability: CAPABILITY_AUTO_EXPAND" 78 | - Click "Create stack" 79 | 2. Wait until the stack creation is complete 80 | 3. From the Resources tab, note down `` from the "Physical ID" column of the "SubCa" row, and use it to certify next level of Subordinate CAs if required 81 | 4. Verify the Subordinate CA: `bin/acm-pca-listPcas Type Status CertificateAuthorityConfiguration.Subject.CommonName` 82 | 5. Repeat the above to create more subordinate CAs if required 83 | 84 | ## Useful Tips and Tools 85 | 86 | Under the `bin/` directory, there are some useful Shell scripts as a simplified alternative to using AWS CLI. They can also serve as a guide to learn ACM related AWS CLI and OpenSSL commands. 87 | 88 | Generally, entering the command without parameters will show the help text. For commands that allow no parameters, option `-?` will show the help text (e.g., `bin/acm-pca-listPcas -?`). 89 | 90 | ### List all private CAs 91 | 92 | `bin/acm-pca-listPcas Type Status CertificateAuthorityConfiguration.Subject.CommonName` 93 | 94 | Use option `-j` to show all details in JSON, and `-a` to include deleted CAs as well. 95 | 96 | ### Verify the private CAs from the AWS Console 97 | 1. Open the Certificate Manager console 98 | 2. Click the "Private CAs" menu 99 | 3. Find the "Active" Private CAs 100 | 4. Check if the PCA ARN matches the Resources created in the CloudFormation stack 101 | 102 | ### Verify the CA Certificate 103 | 104 | Here `` is an arbitrary name that you want to use to name the output file. 105 | 106 | ``` 107 | bin/acm-pca-getCaCertificate > -ca.cert 108 | ``` 109 | 110 | Use `bin/certText -ca.cert | less` to show the certificate details. 111 | 112 | ### Verify the CA Chain 113 | 114 | Here `` is an arbitrary name you want to use for the CA file path. 115 | 116 | ``` 117 | bin/acm-pca-getCaCertificate -c > -chain.cert 118 | ``` 119 | 120 | You may also download the CA Certificate and Chain in one file from the S3 bucket. 121 | 122 | ``` 123 | aws s3 cp s3:///pca/-chain.pem -chain.cert 124 | ``` 125 | 126 | Use `bin/chainText -chain.cert | less` to show the chain. Use option `-a` to show details of each certificate in the CA chain. 127 | 128 | Note: The CA Chain of the first-level subordinate CAs is the same as the Root CA Certificate. e.g., `root-ca.cert` is the same as `sub-level-1-chain.cert`. 129 | 130 | ### Verify issuing capability 131 | 132 | #### Request a certificate (with default settings) 133 | 134 | Request a certificate using the default settings: a 13-month validity and a simple Subject `CN = `. 135 | 136 | ``` 137 | bin/acm-requestCertificate 138 | ``` 139 | Output 140 | ``` 141 | { 142 | "CertificateArn": "" 143 | } 144 | ``` 145 | 146 | Get the certificate 147 | 148 | ``` 149 | bin/acm-getCertificate > .cert 150 | bin/certText .cert | less 151 | ``` 152 | Note down the serial number, e.g., ff:d8:fc:70:5e:2f:3e:1c:fc:58:4e:fa:73:32:c6:a7 153 | 154 | Find the certificate on the Certificate manager console and verify the ARN and serial number. 155 | 156 | #### Issue a certificate 157 | 158 | Issue a certificate by generating the private key and certificate signing request (CSR) locally. 159 | 160 | ``` 161 | bin/acm-pca-issueCertificate -s -v 162 | ``` 163 | 164 | Output 165 | 166 | ``` 167 | { 168 | "CertificateArn": "" 169 | } 170 | ``` 171 | 172 | Get the certificate 173 | 174 | ``` 175 | bin/acm-pca-getCertificate > .cert 176 | bin/certText .cert | less 177 | ``` 178 | 179 | Note down the serial number, e.g., 79:57:43:a0:4a:9a:2c:33:b4:8f:96:8f:bb:00:f9:93 180 | 181 | Certificates issued using `bin/acm-pca-issueCertificate` are *not* managed by ACM, which means such certificates 182 | 183 | - are not renewable by ACM (and does not appear on the ACM console) 184 | - with no private key kept in ACM (If you tried to export the certificate, it will show an error that the certificate ARN is not valid.) 185 | - with a certificate ARN in the format of `/certificate/` (prefixed by Prinvate CA ARN) 186 | - can be retrieved using `bin/acm-pca-getCertificate` (instead of `bin/acm-getCertificate` because the Certificate ARN does not exist in ACM) 187 | 188 | Here is the full help text of `acm-pca-issueCertificate`: 189 | 190 | ``` 191 | Usage: acm-pca-issueCertificate [-s subject] [-v validity] [-a signAlgo] [-k keyLen] [-m messageDigest] pca_arn domain 192 | Issue a certificate signed by a Private CA, i.e., Certificate ARN starting with arn:aws:acm-pca: 193 | Note 1: Certificates issued by a Private CA are not listed on ACM Console. 194 | Note 2: Two files will be generated: .key and .csr 195 | -? Show this help text 196 | pca_arn ARN of Private CA used to issue the certificate 197 | domain Common Name (CN) in the certificate Subject 198 | -v validity Validity of the certificate; e.g., 13m (default), 10y, 365d etc 199 | -s subject Full Subject of the certificate; default /C=AU/ST=NSW/L=Sydney/O=My Organisation/OU=My Organisational Unit/CN= 200 | -a signAlgo Signing algorithm; default SHA512WITHRSA 201 | Settings for openssl 202 | -k keyLen Key Length; default 4096 203 | -m md Message digest to sign the request with: md1, sha1, sha256; default sha256 204 | ``` 205 | 206 | #### Verify CRL 207 | 208 | ``` 209 | curl http:///crl/.crl --output .crl 210 | ``` 211 | 212 | If you cannot resolve ``, you may check the Cname record value on Route53 and substitute `` with the Cname value in your curl command. 213 | 214 | You may also download the CRL from the S3 bucket. 215 | 216 | ``` 217 | aws s3 cp s3:///crl/.crl .crl 218 | ``` 219 | 220 | View the CRL file 221 | ``` 222 | bin/crlText .crl | less 223 | ``` 224 | The following line indicates that there are no certificates being revoked. 225 | ``` 226 | No Revoked Certificates. 227 | ``` 228 | 229 | ### Revoke a certificate 230 | ``` 231 | bin/acm-pca-revokeCertificate 232 | ``` 233 | Reason code is one of the following: 234 | - AFFILIATION_CHANGED 235 | - CESSATION_OF_OPERATION 236 | - A_A_COMPROMISE 237 | - PRIVILEGE_WITHDRAWN 238 | - SUPERSEDED 239 | - UNSPECIFIED 240 | - KEY_COMPROMISE 241 | - CERTIFICATE_AUTHORITY_COMPROMISE 242 | 243 | Please allow up to 30 minutes for the CA to update the CRL. After the CRL is updated, you may download the CRL file to verify. 244 | 245 | ``` 246 | aws s3 cp s3:///crl/.crl .crl 247 | ``` 248 | 249 | View the CRL file. 250 | ``` 251 | bin/crlText .crl | less 252 | ``` 253 | Under "Revoked Certificates" the revoked certificate will be shown. For example, 254 | ``` 255 | Revoked Certificates: 256 | Serial Number: 795743A04A9A2C33B48F968FBB00F993 257 | Revocation Date: Mar 3 01:43:35 2021 GMT 258 | CRL entry extensions: 259 | X509v3 CRL Reason Code: 260 | Superseded 261 | ``` 262 | 263 | Note: Revocations will not be shown on the ACM console. You can download and verify the CRL using the above tools. 264 | 265 | ### Delete a CA 266 | 267 | *Warning*: ACM Private CA costs US$400/month pro-rated. It is recommended to delete test Private CAs when it is no longer needed. 268 | 269 | - Delete the private CA stack first 270 | - The Private CA will be in the DISABLED state. 271 | - Delete the private CA using `bin/acm-pca-deletePca ` 272 | ```bash 273 | Private CA: ... 274 | Old Status: ACTIVE 275 | Action: Disable now 276 | New Status: DELETED 277 | Action: To be deleted in 7 days 278 | ``` 279 | 280 | Please note that deleting a private CA does not invalidate the certificates the private CA has already signed before the deletion. 281 | If you want to revoke some certificates signed by the deleted CA, you need to do so before you delete the private CA, and keep the CRL S3 Bucket website hosting intact, so that the CRL URL remains accessible for revocation verification. 282 | 283 | A quick way to revoke all certificates signed by any private CAs in the hierarchy is to have the root CA revoke the second-level private CAs and keep the root CA CRL S3 Bucket intact. After that, you may remove all private CAs in the hierarcy. 284 | 285 | For the above reason, in the CloudFormation templates, the deletion policy of the CRL Cname and S3 Bucket is set to `Retain`, so that private CA stack deletion will not affect the CRL. If you no longer need the CRL of a deleted private CA (e.g., after all certificates the deleted private CA revoked have expired), you may delete the CRL Cname and S3 Bucket manually. 286 | --------------------------------------------------------------------------------