Skip to content

Instantly share code, notes, and snippets.

@danquack
Last active Sep 27, 2021
Embed
What would you like to do?
Securing traffic with ACM Private Certificate Authority
# Create x509 cert if not building for cloud (common in local builds)
if [[ -z "${ROOTCA}" ]]; then flags="-x509 -days 365"; fi
mkdir -p /etc/ssl/{certs,private}
openssl req $flags -nodes -new -newkey rsa:4096 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/CN=${HOSTNAME}"
# Download root CA into CA Directory
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $ROOTCA --output text > /usr/local/share/ca-certificates/root.crt
# Ensure permissions and update the trust store
chmod 644 /usr/local/share/ca-certificates/root.crt
update-ca-certificates
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
...
RootInternalCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
KeyAlgorithm: RSA_4096
SigningAlgorithm: SHA512WITHRSA
Subject:
CommonName: ec2.internal
Type: ROOT
RootInternalCert:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootInternalCA
CertificateSigningRequest: !GetAtt RootInternalCA.CertificateSigningRequest
SigningAlgorithm: SHA512WITHRSA
TemplateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1'
Validity:
Type: YEARS
Value: 10
RootCAActivation:
Type: 'AWS::ACMPCA::CertificateAuthorityActivation'
Properties:
CertificateAuthorityArn: !Ref RootInternalCA
Certificate: !GetAtt RootInternalCert.Certificate
Status: ACTIVE
HostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
# This may vary on what you need ingress
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
FromPort: 443
ToPort: 443
IpProtocol: tcp
aws acm-pca issue-certificate --certificate-authority-arn $ROOTCA --csr file:///etc/ssl/certs/server.crt --signing-algorithm "SHA512WITHRSA" --validity Type=DAYS,Value=365 --output text > /tmp/cert.arn
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.Certificate' > /etc/ssl/certs/server.crt
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.CertificateChain' >> /etc/ssl/certs/server.crt
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
...
Port: 443
Protocol: HTTPS
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment