thien k phan

Secure internal services with SSL using AWS private hosted zone with private certificate

Step 1:
Generate your Private CA on AWS Certificate Manager
Step 2:
Generates a CSR and a private key for a certificate by using OpenSSL:
The directory now includes:
  • private-key.pem
  • csr.pem
Keep these 2 files, we will use it later.
Step 3:
Inspect the csr.pem:
Step 4:
Issue the certificate using issue-certificate command:
The issues certificate will not live in AWS Certificate Manager immediately, after the creation it will just hanging around the VPC until you actually import it manually into the AWS Certificate
The following output will show:
AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.
Step 5:
Save the certificate body and certificate chain as .pem files using the following commands (use the certificate arn above)
  • Certificate chain:
  • Certificate body:
Step 6: The actual import of certificate:
Two ways:
Step 7:
Finally attach the created private certificate to any AWS Integrated Services, in this case I will attach it with a target listener on port 443. Route53 domain A record needs to be configured as well.
notion image