AWS Certificate Management and Private Certificate Authority Deep Dive

SEC413-R
AWS Certificate Management and Private

Certificate Authority Deep Dive
Todd Cignetti Ram Ramani
Principal Product Manager Security Solutions Architect
AWS Cryptography AWS
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• AWS Certificate Manager
• Private CA and new features
• Build and configure a Private CA
• Use cases and examples
• Chalk talk and Q&A
AWS Certificate Manager (ACM)
ACM makes it easy to provision, manage,

deploy, and renew TLS/SSL certificates on
the AWS cloud
Example: ACM with Elastic Load Balancing
• Public certificates requested with ACM
• Deployed on ELB
• ACM manages renewal and deployment
AWS Cloud
Public TLS
Secure TLS/SSL server
connection certificate
devices
AWS
TLS/SSL Instances
Certificate
Manager
users Amazon
Public CA
Public TLS
server
certificate
What’s new
• DNS Validation (Nov 2017) – Validate your domain by writing DNS
CNAME record to your DNS configuration
• ACM Private Certificate Authority (Apr 2018)

• CA Restore (Jun 2018) - delete a CA and restore it within a limited time (June)
• London Region - (July)
ACM compliance for data privacy and protection
• HIPAA Eligible - The standard for sensitive patient data protection
• AICPA SOC 1, 2, and 3 – Provides deep insight into ACM’s security processes and
controls
• PCI DSS – The technical and operational requirements for protection of cardholder data
• ISO 9001, 27001, 27017, and 27018 – Among the most recognized global security
standards
ACM Private CA
• ACM Private CA is a fully managed private CA
• Avoids the complexity of managing a CA yourself
• Operates as a standalone CA or together with ACM for certificate mgmt
• Certificates are trusted within your organization
AWS Cloud Amazon Elastic On-premises Infrastructure
Compute Cloud
(Amazon EC2)
AWS
Resources
Devices
ACM
Private CA
Servers
ACM Private CA setup and hierarchy
Existing CA Infrastructure
• Create a Private CA
Root CA Root CA
• Establish chain of trust to existing Certificate
root CA Intermediate
• Export CSR and sign with a parent CA Intermediate CA CA Certificate
• Import signed CA certificate

• Issue device/resource/server
Certificate
certificates Signing
Signed CA
Certificate
Request
ACM
Private CA
device/resource
certificates
Elastic Load Balancing with private TLS server certificates
Private or public certificates managed with ACM
Enterprise
ACM manages renewal and deployment Root CA
AWS Cloud
ACM
Private CA
Amazon Simple
Storage Service
(Amazon S3)
CRL bucket
Private TLS
AWS server
Instances Certificate certificate
Manager
Amazon
Public CA
Public TLS
server
certificate
Enterprise
Root CA
AWS Cloud
ACM
Private CA
Amazon S3
CRL bucket
2
1 Request Issue TLS server
certificate certificate certificate
AWS
Instances Certificate
Manager
Enterprise
Root CA
AWS Cloud
4 Secure TLS/SSL
connection ACM
Private CA
Amazon S3
CRL bucket
devices
2
1 Request Issue
certificate certificate
AWS
TLS/SSL Instances Certificate
Manager TLS server
certificate
3 Deploy
users certificate
Enterprise
Root CA
AWS Cloud
4 Secure TLS/SSL
connection ACM
TLS server Private CA
Amazon S3
certificate CRL bucket
devices
2
1 Request Issue
certificate certificate
AWS
TLS/SSL Instances Certificate
Manager
3 Deploy
users certificate
TLS to your container
IAM Policy to allow container access to PCA
{
“Version”: “2012-10-17”,
Enterprise
“Statement”: [
Root CA
{
Container “Effect”: “Allow”,
“Action”: [
Generate keys 1 “acm-pca:IssueCertificate”,
“acm-pca:GetCertificate”
],
ACM
Private CA
“Resource”: “*”
Generate CSR 2 }
]
}
Call pca::IssueCertificate 3
API
Call pca::GetCertificate 4
API
Key and certificate in 5

place
Certificate-based device authentication
Alexa For Business enables organizations and employees to use Alexa at enterprise scale
Goal: connect Echo devices to an existing enterprise WPA2 wireless network
Enterprise WPA2 Wi-Fi
Auth Server
(RADIUS)
Device
certificate
Echo
Alexa For
Business
Device Setup
Tool
Standalone Private CA issuing unmanaged certificates
ACM does not manage renewals and deployment
Enterprise
Root CA
ACM
Private CA
Amazon S3
CRL bucket
Device Setup Tool provisions device certificates using ACM Private CA
Administrator must grant permission to use the Private CA with an AWS Identity and Access
Management (IAM) policy
IAM Policy to allow DST access to PCA Enterprise

Root CA
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [ ACM
“acm-pca:ListCertificateAuthorities”, Private CA
Amazon S3
“acm-pca:IssueCertificate”, CRL bucket
“acm-pca:GetCertificate”
], Alexa For
“Resource”: “*” Business
} Device Setup
] Tool
}
Device Setup Tool issues and deploys certificates to Echo devices
Enterprise WPA2 Wi-Fi
Auth Server
(RADIUS)
Enterprise
Root CA
Echo
ACM
Private CA
Amazon S3
CRL bucket
1
Alexa For Issue Device
Business Certificate certificate
Device Setup
Tool 2
GetCertificate
Remote devices using encrypted IPSec VPNs
Enterprise
Root CA
Enterprise Customer Network

AWS Cloud
ACM
Private CA
Amazon S3
CRL bucket
IPSec VPN
IPSec certificate
Instance
IPSec Client Tunnel running IPSec
Server
Internet
Remote devices using encrypted IPSec VPNs
Enterprise
Root CA
Enterprise Customer Network

AWS Cloud
ACM
Private CA
IPSec VPN Amazon S3
IPSec VPN CRL bucket
certificate
certificate
IPSec
Instance
IPSec Client Tunnel running IPSec
Server
Internet
“We use ACM Private Certificate Authority (CA) to issue certificates to ensure
secure connections from our sensors to our purpose-built Security
Operations Center platform that runs in AWS.”
Michael Hart
Director Infrastructure Engineering,
Arctic Wolf Networks
Learn more
ACM Documentation
https://amzn.to/AWSCertificateManagerDocs
Alexa For Business Blog Post

https://aws.amazon.com/blogs/business-productivity/setup-shared-devices-managed-by-alexa-for-business-on-wpa2-enterprise-wi-fi/
ECS Containers
https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-part-2-using-aws-certificate-manager-private-certificate-authority/
Compliance
https://aws.amazon.com/compliance/
https://aws.amazon.com/compliance/services-in-scope/
Thank you!
Todd Cignetti and Ram Ramani
[email protected]
Q&A
Private CA FAQs
• Standalone versus managed certificates
• How can I chain a Private CA up to my enterprise root CA?
• Revocation
• Auditing
• Logging
• TLS/SSL for back-end connections from ELB to instance or container
ACM public certificate FAQs

• Email versus DNS validation
Customization for Standalone Certificates
Key Algorithms Signing Algorithms

RSA 2048 SHA256 with RSA
RSA 4096 SHA384 with RSA
SHA512 with RSA
Custom
Lifetimes
ECDSA P256 SHA256 with ECDSA
ECDSA P384 SHA384 with ECDSA
SHA512 with ECDSA
Private
Certificate
Custom
Resource Names
ACM Managed versus Unmanaged Certificates
ACM-Managed Certificates Unmanaged
Certificate private keys ACM generates and manages the private key Customer generates and manages the private key
Certificate subject/SANs Valid DNS names only Any valid X.509 subject/SANs
Validity period 13 months Any validity period
Key and signature ECDSA or RSA keys

RSA 2048 with SHA-256 hashing
algorithm SHA-256, SHA-384, SHA-512 hashing
Export Available for private certificates n/a – Customer manages the private keys and certs
Renewals ACM-managed Customer-managed

ACM-managed for ACM-integrated services
Deployment Customer-managed
Customer-managed for on-premises, EC2, IoT
Benefits Central management Flexibility
ACM Private CA
Secure and Managed Manage Certificates Enable Developer Agility

Private Certificate Authority Centrally
Flexibility to Customize
Private Certificates Pay as You Go Pricing

AWS Certificate Management and Private Certificate Authority Deep Dive

Uploaded by

Copyright:

Available Formats

AWS Certificate Management and Private Certificate Authority Deep Dive

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Certificate Management and Private Certificate Authority Deep Dive

Uploaded by

Copyright:

Available Formats

SEC413-R

AWS Certificate Management and Private

• Private CA and new features

• Build and configure a Private CA

• Use cases and examples

• Chalk talk and Q&A

ACM makes it easy to provision, manage,

• ACM Private Certificate Authority (Apr 2018)

• Import signed CA certificate

Key and certificate in 5

Enterprise WPA2 Wi-Fi

IAM Policy to allow DST access to PCA Enterprise

Enterprise WPA2 Wi-Fi

Enterprise Customer Network

Enterprise Customer Network

Alexa For Business Blog Post

ACM public certificate FAQs

Key Algorithms Signing Algorithms

Validity period 13 months Any validity period

Key and signature ECDSA or RSA keys

Renewals ACM-managed Customer-managed

Benefits Central management Flexibility

Secure and Managed Manage Certificates Enable Developer Agility

You might also like