ACM and PKI Notes.md 1.5 KB
ACM / Private CA notes
ACM gives out nice, free certs to ELBs and so forth. For other things, you need a "private CA". We have one of those, set up in legacy prod (477548533976). It's called "MDR Intermediate CA G2".
The root CA for that is currently in a small VM on Duane's laptop. The whole VM is backed up to Duane's OneDrive. This small CA (running on OpenSSL alone) is offline for both security (offline roots are best "they" say) and cost purposes (AWS charges $400 / month per PCA and having a PCA for root and for intermediate seemed extravagant given the root is never used.
If you need a cert, you can just issue one via this PCA. For most things I just use the GUI, but it should be accessible via API if needs be.
Each issued cert is cheap - like $2. So go crazy.
Requesting a cert using the GUI
- Log into console, switch to legacy mdr prod
- Go to ACM ( https://console.aws.amazon.com/acm/home?region=us-east-1#/ )
- Clicky 'Request a certificate'
- Clicky 'Request a private certificate'
- Pick 'MDR Intermediate CA G2' CA
- Put in your domain names whee
- Clicky 'Review and Request'
- Clicky 'Confirm an Request'
- Pick the cert in the main "Certificates" view and "Export"
- Put in a passphrase
- You'll get the cert, chain, and PK
- If you need the PK unencrypted use
openssl rsa -in
Future plans
This needs to be one of the things we move to GovCloud, I suppose. Alternately, there is rumor mill that CMPS is building an enterprise PKI of some sort for "Managed Services" and this may be a good chance to see if that is good and/or bad.