Skip to main content

Certificate Management

Leveraging ACM Certificates

warning

There is a limitation to using the ACM to provide individual certs for each enclave as either they are shared certs or it is one cert per enclave. However, these work well if the enclave replica count is set to 1.

Instead of enclave generating a child certificate from the CA certificate provided by the user, we can provide a child certificate directly.

The child certificate can be obtained from ACM. This could be a private key generated from AWS Private Certificate Authority.

  1. Create an AWS private CA of type root. We can set the subject accordingly:

    cat /path/to/ca_config.json
    {
      "KeyAlgorithm": "RSA_2048",
      "SigningAlgorithm": "SHA256WITHRSA",
      "Subject": {
        "Country": "IE",
        "State": "Dublin",
        "Locality": "Dublin",
        "Organization": "Oblivious",
        "OrganizationalUnit": "Oblivious",
        "CommonName": "MyPrivateCA"
      }
    }

    aws acm-pca create-certificate-authority \
    	--certificate-authority-configuration file://path/to/ca_config.txt \
    	--certificate-authority-type "ROOT" \
    	--idempotency-token 98256344
    	
    arn:aws:acm-pca:<REGION>:<ACCOUNT_ID>:certificate-authority/xxxxxx-xxxx-xxxx-xxxx-xxxxx

  2. After we get the ARN of private CA (certificate authority), we can create CSR (Certificate Signing Request) for the child certificate:

    openssl  req  -new  \
    	-newkey  rsa:2048  \
    	-nodes  \
    	-keyout  /path/to/cert_priv_key.pem \
    	-subj "/C=IE/ST=Dublin/L=Dublin/O=Oblivious/OU=Oblivious/CN=enclavecert" \
    	-out /path/to/cert.csr

  3. We can then issue a certificate from this CSR. Make sure the validity of this certificate is less than that of a private CA. This returns the arn of the certificate:

    aws acm-pca issue-certificate \
    	--certificate-authority-arn $ca_arn \
    	--signing-algorithm SHA256WITHRSA \
    	--validity Value=60,Type=DAYS \
    	--csr fileb://path/to/cert.csr
    	
    arn:aws:acm-pca:<REGION>:<ACCOUNT_ID>:certificate-authority/12345678-1234-1234-1234-123456789012/certificate/286535153982981100925020015808220737245

  4. We can then get the certificate using this arn:

    aws acm-pca get-certificate \
    	--certificate-arn $cert_arn \
    	--certificate-authority-arn $ca_arn

  5. Next, we can encrypt the private key of the child certificate and upload both the encrypted and public key to s3. More on this here.

  6. We can pass the s3 location with kms key id to the user manifest and deploy the enclave.