Skip to content

Instantly share code, notes, and snippets.

@danquack

danquack/create_cert.sh

Last active September 27, 2021 03:30
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save danquack/6c3dcfedc72604a27ec64240ac634363 to your computer and use it in GitHub Desktop.
Save danquack/6c3dcfedc72604a27ec64240ac634363 to your computer and use it in GitHub Desktop.
Download ZIP
Securing traffic with ACM Private Certificate Authority
Raw
create_cert.sh
# Create x509 cert if not building for cloud (common in local builds)
if [[ -z "${ROOTCA}" ]]; then flags="-x509 -days 365"; fi
mkdir -p /etc/ssl/{certs,private}
openssl req $flags -nodes -new -newkey rsa:4096 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/CN=${HOSTNAME}"
Raw
host_ca.sh
# Download root CA into CA Directory
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $ROOTCA --output text > /usr/local/share/ca-certificates/root.crt
# Ensure permissions and update the trust store
chmod 644 /usr/local/share/ca-certificates/root.crt
update-ca-certificates
Raw
nginx.conf
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
...
Raw
root_ca.yml
RootInternalCA:
Type: AWS::ACMPCA::CertificateAuthority
Properties:
KeyAlgorithm: RSA_4096
SigningAlgorithm: SHA512WITHRSA
Subject:
CommonName: ec2.internal
Type: ROOT
Raw
root_cert.yml
RootInternalCert:
Type: AWS::ACMPCA::Certificate
Properties:
CertificateAuthorityArn: !Ref RootInternalCA
CertificateSigningRequest: !GetAtt RootInternalCA.CertificateSigningRequest
SigningAlgorithm: SHA512WITHRSA
TemplateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1'
Validity:
Type: YEARS
Value: 10
RootCAActivation:
Type: 'AWS::ACMPCA::CertificateAuthorityActivation'
Properties:
CertificateAuthorityArn: !Ref RootInternalCA
Certificate: !GetAtt RootInternalCert.Certificate
Status: ACTIVE
Raw
sg.yaml
HostSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
SecurityGroupIngress:
# This may vary on what you need ingress
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
FromPort: 443
ToPort: 443
IpProtocol: tcp
Raw
sign_cert.sh
aws acm-pca issue-certificate --certificate-authority-arn $ROOTCA --csr file:///etc/ssl/certs/server.crt --signing-algorithm "SHA512WITHRSA" --validity Type=DAYS,Value=365 --output text > /tmp/cert.arn
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.Certificate' > /etc/ssl/certs/server.crt
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.CertificateChain' >> /etc/ssl/certs/server.crt
Raw
target_group.yaml
TargetGroup:
Type: AWS::ElasticLoadBalancingV2::TargetGroup
Properties:
...
Port: 443
Protocol: HTTPS
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment