More Related Content Similar to SID305 AWS Certificate Manager Private CA (20) More from Amazon Web Services (20) SID305 AWS Certificate Manager Private CA1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Todd Cignetti
Sr. Product Manager, AWS Cryptography
AWS Certificate Manager
Private Certificate Authority
2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Motivation
• Introduction to ACM and ACM Private CA
• Benefits
• Features
• Demo
• APIs and SDK
• Use cases
• Wrap up
3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Motivation
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
• Identify a website or application on the internet
• Secure network communications
• Browser users see a lock icon
• Improve search rankings with HTTPS
Why Use SSL/TLS Certificate?
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public vs. Private Certificate Authority
server.crt
Client Web server
Public CA
Verify server
certificate
Internal servers
server.crtclient.crt
Private CA
Applications, servers,
services, and devices in an
organization
Verify client
certificate
Verify server
certificate
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Public Certificates and CAs
Public certificates are issued by public CAs to identify resources on the internet
Public certificates are trusted by default
• Public CA root certificates are installed in browser and OS trust stores by default
Public CAs must be operated according to strict rules (CA/browser forum)
• Identify resources with a public name (usually DNS name)
• Publish all issued certificates to public log (Certificate Transparency) (April 2018)
• Strict rules for validating identity, e.g., email validation or DNS validation
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Private Certificates and CAs
Private certificates are similar to public certificates, but issued by private CAs and identify
resources in an organization
• Servers, websites, clients, devices, VPN users, and more
• Resources on private networks
Not trusted by default
• Administrator must install private CA certificates in client trust stores
Benefits
• Identify anything you want
• Define your own rules for issuance, validation, and naming
• Avoid constraints imposed on public certificates/CAs
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of Operating Private CAs
• Maintaining private CAs is complex and expensive
• The security, accountability, and availability of a private CA is the organization’s
responsibility
• Resources need to be allocated for security and certificate maintenance
• Private CAs require infrastructure and security expertise
• Operating multiple CAs further increases complexity
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of Managing Certificates
• Managing the certificate lifecycle
• Visibility
• Renewals
• Revocations
• Excel is the #1 used solution today
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges of Certificates for Dynamic
Resources
• Problem: How to identify dynamic cloud resources with certificates
• Enterprise private CAs
• Slow, inflexible, manual processes hamper agility
• Hard to manage, time-consuming, and painful
• Solution
• Secure API-driven private CA service for issuing certificates and vending
revocation info
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Certificate Manager Private CA
(ACM Private CA)
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing ACM Private Certificate Authority
(CA)
Organization
Resources
On-Premises Servers
AWS Resources
Devices
Amazon EC2
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting Started with ACM Private CA
On-premises
CA Administrator
AWS
Subordinate
Private CA
Root/
Intermediate
CA
AWS Resources, Devices, Servers
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Benefits
Secure and Managed Private
Certificate Authority
Manage Certificates Centrally Enable Developer Agility
Flexibility to Customize
Private Certificates Pay as You Go Pricing
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secure Managed Private CA
Generated Audit
Reports
IAM Policies for
Access Control
Certificate
Revocation List
Hardware
Security Modules
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Certificate Manager (ACM)
ACM makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the
AWS platform
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM
• Enter a domain name, and seven clicks later a public SSL/TLS certificate is
issued for your domain
• Select the certificate from a drop-down list to deploy it
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Certificate Lifecycle Management
• Provides a single interface to manage both public and private
certificates
• ACM-managed certificates renew and deploy automatically
with ACM-integrated services
• Protects and stores private keys used with certificates via best
practices
• API hooks to let you export and deploy private certificates
from your code
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customized Certificates
Private
Certificate
Custom
Lifetimes
Custom
Resource Names
Key Algorithms Signing Algorithms
RSA_2048 SHA256WITHECDSA
RSA_4096 SHA384WITHECDSA
EC_prime256v1 SHA512WITHECDSA
EC_secp384r1 SHA256WITHRSA
SHA384WITHRSA
SHA512WITHRSA
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging with AWS CloudTrail
• Record API calls that are made to and from ACM Private CA
• Must have permissions to write to an Amazon S3 bucket
• API calls from the ACM Private CA console, AWS CLI, or from
AWS SDKs are collected
AWS CloudTrail
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Getting Started with ACM Private CA
On-premises
CA Administrator
AWS
Subordinate
Private CA
Root/
Intermediate
CA
AWS Resources, Devices, Servers
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo – Create CA
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Demo
26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Certificate Management vs. Customer-Managed
ACM Certificate Management Standalone Private CA
Private keys ACM generates and manages Customer generates and manages
Certificate subject Valid DNS names only Any valid X.509 subject
Validity period 13 months Any validity period
Key and signature
algorithm
RSA 2048 with SHA-256 hashing
ECDSA or RSA keys
SHA-256, SHA-384, SHA-512 hashing
Export Available for private certificates N/A
Renewals Automatic after association or export Customer-managed
Deployment
ACM-managed for ACM-integrated services
Customer-managed for on-premises, EC2, IoT
Customer-managed
Benefits Central management Flexibility
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
APIs and SDKs
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API Service Driven for Automation
Ruby
iOS
Python (boto)
Android
Node.js
.NET
PHP
JavaScriptJava
Xamarin
AWS
SDKs
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA APIs
CreateCertificateAuthority
IssueCertificate
GetCertificate
RevokeCertificate
UpdateCertificateAuthority
DeleteCertificateAuthority
ListCertificateAuthorities
DescribeCertificateAuthority
GetCertificateAuthorityCsr
CreateCertificateAuthorityAuditReport
DescribeCertificateAuthorityAuditReport
ImportCertificateAuthorityCertificate
GetCertificateAuthorityCertificate
TagCertificateAuthority
UntagCertificateAuthority
ListTags
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA APIs
issue-certificate --certificate-authority-arn <value>
--csr <value>
--signing-algorithm <value>
OUTPUT: CertificateArn -> (string)
get-certificate --certificate-authority-arn <value>
--certificate-arn <value>
OUTPUT: Certificate -> (string)
CertificateChain -> (string)
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
New ACM APIs for Private Certificates
request-certificate --domain-name <value>
[--subject-alternative-names <value>]
[--certificate-authority-arn <value>]
OUTPUT: CertificateArn -> (string)
export-certificate --certificate-arn <value
--passphrase <value>
OUTPUT: Certificate -> (string)
CertificateChain -> (string)
PrivateKey -> (string)
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate Example
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
55:55:a1:f4:24:46:0f:d1:fa:a3:9e:c0:86:03:7a:1f
Signature Algorithm: sha512WithRSAEncryption
Issuer: O=test-eu-west-1, CN=test-eu-west-1
Validity
Not Before: Mar 26 00:50:39 2018 GMT
Not After: Mar 27 01:50:39 2018 GMT
Subject: C=US, ST=VA, L=Herndon, O=Amazon, OU=AWS, CN=test.test.test.test
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Certificate Example
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Authority Key Identifier:
keyid:DC:86:2D:54:D1:8B:35:55:99:D3:7F:6A:B7:F6:23:8C:1A:2E:E8:7B
X509v3 Subject Key Identifier:
22:18:30:70:6F:D2:FC:7D:CB:64:16:B9:10:38:29:4E:1B:D2:54:33
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://3151-6072-4404-crl-bucket-111.s3.amazonaws.com/crl/d3d96506-9030-4f07-a2a5-0fd78d535dfd.crl
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Cases
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Use Cases
When should you consider using ACM Private Certificate Authority?
Securing internal services
Managed certificate renewals and binding
Issuing private certificates for internal resources
Replacement for self-signed certificates
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Single Region Elastic Load Balancing
Architecture
InstancesElastic Load
Balancing
app1.internal
Region 1
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy
Select or create a load balancer
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deploy
Select an HTTPS listener, and choose a certificate from the drop-down list.
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Wrap Up
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
ACM Private CA Pricing
CA Operation
• $400 per month, per CA
• Monthly fee for the operation of
each ACM Private CA until you
delete it
• Free trial – First 30 days of CA operation are free for new accounts. You pay for certificates issued during
the trial.
Certificates issued
(per month, per region)
Price per
certificate
0–1,000 $0.75
1,000–10,000 $0.35
10,000+ $0.001
Certificates issued
• Public and private certificates for use with ACM-
integrated services are free
• You pay for certificates for which you have access to
the private key
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Regions
• Northern Virginia
• Ohio
• Oregon
• Montreal
• Ireland
• Frankfurt
• London (coming soon)
• Tokyo
• Sydney
• Singapore
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key Takeaways
ACM Private CA is a fully managed private CA without the complexity and high overhead
of managing one.
ACM can now manage the lifecycle of public and private certificates.
ACM Private CA provides agility and customization.
ACM Private CA integrates with other key AWS services such as, IAM, AWS CloudTrail
and tagging, providing more functionality and value.
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Please complete the session survey in
the summit mobile app.
44. Submit Session Feedback
1. Tap the Schedule icon. 2. Select the session you
attended.
3. Tap Session Evaluation to
submit your feedback.
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!