Create Certificate Authority with AWS Private CA SDK

Benjamin Ajewole - Apr 23 - - Dev Community

In cybersecurity, the importance of secure communication cannot be overstated. Certificates are the bedrock for establishing encrypted and authenticated connections over networks, safeguarding data integrity, confidentiality, and authenticity. When managing certificates at scale within cloud environments like Amazon Web Services (AWS), leveraging tools like AWS Private Certificate Authority (acm-pca) SDK becomes indispensable. In this article, we'll explore the fundamentals of certificates, the significance of certificate authorities, and the practical steps involved in setting up a secure infrastructure.

What are Certificates?

Certificates are digital documents used to establish trust between parties in a communication exchange. These certificates contain vital information like the identity of the certificate holder, public keys, and cryptographic signatures.

What is the usefulness of certificates?

Certificates serve various purposes in ensuring the security of online transactions and communications, including:

  • Authentication: Certificates verify the identity of parties involved in a transaction.
  • Encryption: Certificates enable secure transmission of data by encrypting it.
  • Integrity: Certificates ensure the integrity of transmitted data, preventing tampering or unauthorized modifications.
  • Trust: Certificates establish trust between communicating parties, ensuring that sensitive information is shared only with trusted entities.

Components of a Certificate

A typical certificate comprises several components, including:

  • Subject: The entity to which the certificate is issued.
  • Issuer: The entity that issues the certificate.
  • Public Key: The cryptographic key used for encryption and verification.
  • Signature: A digital signature created by the issuer to validate the certificate's authenticity.
  • Validity Period: The duration for which the certificate remains valid.
  • Extensions: Additional information such as key usage, subject alternative names, etc.

Types of Certificates

There are various types of certificates tailored to specific use cases, including:

  • SSL/TLS Certificates: Used to secure websites and establish encrypted connections.
  • Code Signing Certificates(CSR): Ensures the authenticity and integrity of software.
  • Email Certificates: Secures email communications by encrypting and digitally signing messages.
  • Certificate Authority (CA) certificates: A Certificate Authority (CA) certificate is a digital certificate issued by a trusted Certificate Authority.

What is a certificate authority?

A Certificate Authority (CA) is a trusted entity responsible for issuing and managing digital certificates. It verifies the identity of entities requesting certificates and signs them to establish their authenticity.

What is a root certificate?

A Root Certificate is a self-signed certificate at the top of the certificate hierarchy. It represents the highest level of trust in a certificate chain and is used to sign other certificates, including intermediate certificates.

What is an intermediate certificate?

An Intermediate Certificate is a subordinate certificate issued by a root certificate. It sits between the root certificate and end-entity certificates. Intermediate certificates help in enhancing security by segregating certificate issuance and revocation processes.

Why do I need to create an intermediate certificate?

Creating an intermediate certificate offers several advantages:

  • Enhanced Security: Intermediate certificates provide an additional layer of security, reducing the risk associated with compromising a root certificate.
  • Scalability: Intermediate certificates allow for better management and delegation of certificate issuance responsibilities, particularly in large-scale environments.
  • Granular Control: By utilizing intermediate certificates, administrators can implement fine-grained access control and policy enforcement

Create a root and intermediate certificate with OpenSSL

Using OpenSSL, a widely-used open-source toolkit, one can generate root and intermediate certificates. Below are the OpenSSL commands to accomplish this:

# Generate a root private key
openssl genpkey -algorithm RSA -out root.key

# Generate a root certificate signing request
openssl req -new -key root.key -out root.csr

# Self-sign the root certificate
openssl x509 -req -in root.csr -signkey root.key -out root.crt

# Generate an intermediate private key
openssl genpkey -algorithm RSA -out intermediate.key

# Generate an intermediate certificate signing request
openssl req -new -key intermediate.key -out intermediate.csr

# Sign the intermediate certificate using the root certificate
openssl x509 -req -in intermediate.csr -CA root.crt -CAkey root.key -set-serial 01 -out intermediate.crt
Enter fullscreen mode Exit fullscreen mode

Create a root and intermediate certificate with acm-pca

AWS Private CA enables the creation of private certificate authority (CA) hierarchies, including root and intermediate/subordinate CAs. 
Using the AWS Certificate Manager Private Certificate Authority (acm-pca) SDK, you can automate the process of creating root and intermediate certificates. Here's how to achieve it using TypeScript:

import { ACMPCAClient, IssueCertificateCommand, CreateCertificateAuthorityCommand} from '@aws-sdk/client-acm-pca';

const client = new ACMPCAClient({ region: 'us-east-1' });

// Create Root CA
  const rootCommand = new CreateCertificateAuthorityCommand({
    CertificateAuthorityType: "ROOT", // Specifies that this CA is a root CA  KeyAlgorithm: 'RSA_2048',
    CertificateAuthorityConfiguration: {
      Subject: {
        Country: "US",
        Organization: "Example Corp",
        OrganizationalUnit: "IT",
        State: "California",
        Locality: "San Francisco",
        CommonName: "Root CA",
        SerialNumber: "202401",
      },
      SigningAlgorithm: "SHA256WITHRSA",
      KeyAlgorithm: "RSA_2048",
    },
  });
const rootResponse = await client.send(rootCommand);
const rootArn = rootResponse.CertificateAuthorityArn;

// Create Intermediate CA
 const intermediateCommand = new IssueCertificateCommand({
    CertificateAuthorityArn: rootArn,
    Csr: new Uint8Array(Buffer.from(csrPem)),
    SigningAlgorithm: "SHA256WITHRSA",
    TemplateArn:
      "arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1",
    Validity: {
      Value: 365,
      Type: "DAYS",
    },
  });

const intermediateResponse = await client.send(intermediateCommand);
Enter fullscreen mode Exit fullscreen mode

AWS Private CA Templates

AWS Private CA offers predefined templates to streamline certificate issuance for various use cases. These templates encapsulate best practices and simplify the process of generating certificates for specific scenarios.

  • End Entity Certificate Template: For issuing certificates directly to end entities such as servers, clients, or IoT devices.
  • Subordinate CA Certificate Template: Simplifies the creation of intermediate CAs for delegating certificate issuance authority.
  • Root CA Certificate Template: Facilitates the creation of self-signed root certificates for establishing trust within the PKI.

Read more on AWS Templates

In conclusion, the AWS Private CA SDK provides a powerful toolkit for managing digital certificates, allowing organizations to establish robust security postures and ensure the integrity and confidentiality of their data. By leveraging AWS Private CA, developers can automate certificate management processes and focus on building secure and scalable applications.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .