Secure internal services with SSL using AWS private hosted zone with private certificate

Step 1:

Generate your Private CA on AWS Certificate Manager

https://docs.aws.amazon.com/privateca/latest/userguide/create-CA.html

Step 2:

Generates a CSR and a private key for a certificate by using OpenSSL:


openssl req -out csr.pem -new -newkey rsa:2048 -nodes -keyout private-key.pem

The directory now includes:

private-key.pem

csr.pem

Keep these 2 files, we will use it later.

Step 3:

Inspect the csr.pem:


openssl req -in csr.pem -text -noout

Step 4:

Issue the certificate using issue-certificate command:


aws acm-pca issue-certificate --certificate-authority-arn arn:aws:acm-pca:us-west-2:123456789012:certificate-authority/12345678-1234-1234-1234-123456789012 --csr file://csr.pem --signing-algorithm "SHA256WITHRSA" --validity Value=300,Type="DAYS" --idempotency-token 1234

💡

The issues certificate will not live in AWS Certificate Manager immediately, after the creation it will just hanging around the VPC until you actually import it manually into the AWS Certificate

The following output will show:


{
   "CertificateArn":"arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/certificate_ID"
}

💡

AWS Private CA immediately returns an ARN with a serial number when it receives the issue-certificate command. However, certificate processing happens asynchronously and can still fail. If this happens, a get-certificate command using the new ARN will also fail.

Step 5:

Save the certificate body and certificate chain as .pem files using the following commands (use the certificate arn above)

Certificate chain:


aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query CertificateChain > certchain.pem

Certificate body:


aws acm-pca get-certificate --certificate-authority-arn  arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012 --certificate-arn arn:aws:acm-pca:Region:Account:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/66506378eb4e296c59b41bbb7b8dd068 --output text --query Certificate > certfile.pem

Step 6: The actual import of certificate:

Two ways:

Import manually in AWS Certificate Manager console

Import using import-certificate command:


aws acm import-certificate --certificate fileb://certfile.pem --private-key file://private-key.pem --certificate-chain file://certchain.pem

Step 7:

Finally attach the created private certificate to any AWS Integrated Services, in this case I will attach it with a target listener on port 443. Route53 domain A record needs to be configured as well.