Skip to main content

Certificate Management

ACM Certificates

Warning

There is a limitation to using the ACM to provide individual certs for each enclave as either they are shared certs or it is one cert per enclave. However, these work well if the enclave replica count is set to 1.

Instead of enclave generating a child certificate from the CA certificate provided by the user, we can provide a child certificate directly.

The child certificate can be obtained from ACM. This could be a private key generated from AWS Private Certificate Authority.

1
Create an AWS private CA of type root. We can set the subject accordingly
cat /path/to/ca_config.json
{
  "KeyAlgorithm": "RSA_2048",
  "SigningAlgorithm": "SHA256WITHRSA",
  "Subject": {
    "Country": "IE",
    "State": "Dublin",
    "Locality": "Dublin",
    "Organization": "Oblivious",
    "OrganizationalUnit": "Oblivious",
    "CommonName": "MyPrivateCA"
  }
}

aws acm-pca create-certificate-authority \
	--certificate-authority-configuration file://path/to/ca_config.txt \
	--certificate-authority-type "ROOT" \
	--idempotency-token 98256344

arn:aws:acm-pca:<REGION>:<ACCOUNT_ID>:certificate-authority/xxxxxx-xxxx-xxxx-xxxx-xxxxx
2
After we get the ARN of private CA (certificate authority), we can create CSR (Certificate Signing Request) for the child certificate
openssl  req  -new  \
	-newkey  rsa:2048  \
	-nodes  \
	-keyout  /path/to/cert_priv_key.pem \
	-subj "/C=IE/ST=Dublin/L=Dublin/O=Oblivious/OU=Oblivious/CN=enclavecert" \
	-out /path/to/cert.csr
3
We can then issue a certificate from this CSR. Make sure the validity of this certificate is less than that of a private CA. This returns the arn of the certificate
aws acm-pca issue-certificate \
	--certificate-authority-arn $ca_arn \
	--signing-algorithm SHA256WITHRSA \
	--validity Value=60,Type=DAYS \
	--csr fileb://path/to/cert.csr

arn:aws:acm-pca:<REGION>:<ACCOUNT_ID>:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245
4
We can then get the certificate using this arn
aws acm-pca get-certificate \
	--certificate-arn $cert_arn \
	--certificate-authority-arn $ca_arn
5
Next, we can encrypt the private key of the child certificate and upload both the encrypted and public key to s3. More on this here.
6
We can pass the s3 location with kms key id to the user manifest and deploy the enclave.