Last active
September 27, 2021 03:30
-
-
Save danquack/6c3dcfedc72604a27ec64240ac634363 to your computer and use it in GitHub Desktop.
Securing traffic with ACM Private Certificate Authority
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create x509 cert if not building for cloud (common in local builds) | |
if [[ -z "${ROOTCA}" ]]; then flags="-x509 -days 365"; fi | |
mkdir -p /etc/ssl/{certs,private} | |
openssl req $flags -nodes -new -newkey rsa:4096 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/CN=${HOSTNAME}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Download root CA into CA Directory | |
aws acm-pca get-certificate-authority-certificate --certificate-authority-arn $ROOTCA --output text > /usr/local/share/ca-certificates/root.crt | |
# Ensure permissions and update the trust store | |
chmod 644 /usr/local/share/ca-certificates/root.crt | |
update-ca-certificates |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443 ssl; | |
ssl_certificate /etc/ssl/certs/server.crt; | |
ssl_certificate_key /etc/ssl/private/server.key; | |
... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RootInternalCA: | |
Type: AWS::ACMPCA::CertificateAuthority | |
Properties: | |
KeyAlgorithm: RSA_4096 | |
SigningAlgorithm: SHA512WITHRSA | |
Subject: | |
CommonName: ec2.internal | |
Type: ROOT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
RootInternalCert: | |
Type: AWS::ACMPCA::Certificate | |
Properties: | |
CertificateAuthorityArn: !Ref RootInternalCA | |
CertificateSigningRequest: !GetAtt RootInternalCA.CertificateSigningRequest | |
SigningAlgorithm: SHA512WITHRSA | |
TemplateArn: 'arn:aws:acm-pca:::template/RootCACertificate/V1' | |
Validity: | |
Type: YEARS | |
Value: 10 | |
RootCAActivation: | |
Type: 'AWS::ACMPCA::CertificateAuthorityActivation' | |
Properties: | |
CertificateAuthorityArn: !Ref RootInternalCA | |
Certificate: !GetAtt RootInternalCert.Certificate | |
Status: ACTIVE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HostSecurityGroup: | |
Type: AWS::EC2::SecurityGroup | |
Properties: | |
SecurityGroupIngress: | |
# This may vary on what you need ingress | |
- SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup | |
FromPort: 443 | |
ToPort: 443 | |
IpProtocol: tcp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aws acm-pca issue-certificate --certificate-authority-arn $ROOTCA --csr file:///etc/ssl/certs/server.crt --signing-algorithm "SHA512WITHRSA" --validity Type=DAYS,Value=365 --output text > /tmp/cert.arn | |
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.Certificate' > /etc/ssl/certs/server.crt | |
aws acm-pca get-certificate --certificate-authority-arn $ROOTCA --certificate-arn $(cat /tmp/cert.arn) --output json | jq -r '.CertificateChain' >> /etc/ssl/certs/server.crt |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TargetGroup: | |
Type: AWS::ElasticLoadBalancingV2::TargetGroup | |
Properties: | |
... | |
Port: 443 | |
Protocol: HTTPS | |
... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment