Skip to content
/ aws-pca-ca-gen Public
forked from theogravity/aws-pca-ca-gen

Generate a root CA and create a signed subordinate CA from the generated AWS PCA (Private Certificate Authority) CSR

License

MIT license
0 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

teknofile/aws-pca-ca-gen

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
create-ca.sh
create-ca.sh
 
 
openssl.cnf
openssl.cnf
 
 
sign-ca.sh
sign-ca.sh
 
 

Repository files navigation

aws-pca-ca-gen

Generate a root CA and create a signed subordinate CA from the generated AWS PCA (Private Certificate Authority) CSR.

Introduction

In order to create an AWS PCA, the CA that AWS generates from your parameters must be signed by a root CA. If you do not have a root CA, you must create one, and creating one is not very straightforward. I used two guides to create a set of scripts to generate a correct root CA and sign the CSR with the right parameters.

If you do not know anything about Private Key Infrastructure (PKI) or how certificates work, please read:

https://smallstep.com/blog/everything-pki.html

It will be one of the most valuable reads of your engineering career as you will encounter working with certificates frequently.

Notice

The configuration used to generate the key and certificates may not necessarily represent secure or best practices. Please consult or work with a security expert to determine the right Private Key Infrastructure for your organization. The provided scripts are for educational purposes only. See LICENSE for more info.

Depending on your perspective, AWS PCA can be expensive. As of current writing, maintaining a PCA CA runs at $400.00 USD / mo, while each created certificate is $0.75 USD. I am not responsible for any charges incurred. You are responsible for understanding the costs of running the PCA.

Steps

Generate the root CA

  • Place the Certificate Signing Request (CSR) file that is generated from AWS PCA (if you use the UI to download the CSR, it will be called CSR.pem) in this project's directory.
  • Run create-ca.sh to create the root CA. Fill in the details as prompted. Password is optional, if you use a password, use the same one when prompted.

Generate the signed PCA CA certificate

  • Run sign-ca.sh <CSR file> to sign the CSR (eg, ./sign-ca.sh CSR.pem)
  • Confirm signing the certificate (y)
  • Commit (y)

Generated Files:

These are the only files you should care about.

  • pca/certs/ca.cert.pem: Root CA certificate
  • pca/certs/pca.cert.pem: Subordinate CA certificate used for AWS PCA
  • pca/private/ca.key.pem: Root CA certificate key

PCA CA Import

  • Use pca/certs/pca.cert.pem for the Certificate Body
  • Use pca/certs/ca.cert.pem for the Certificate Chain

Your PCA CA should be ready to go at this point!

See Also

  • aws-pca - node.js library to generate and fetch certificates using PCA

About

Generate a root CA and create a signed subordinate CA from the generated AWS PCA (Private Certificate Authority) CSR

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Languages

  • Shell 100.0%