Read Time: 10 min
E-commerce businesses are going to be ever more dependent on digital economy and electronic information which enables them to have exacting data privacy compliance and data security framework.
Public Key Infrastructure (PKI) is becoming quintessential to build and map the secure relation between users, devices, services and Organizations to their digital identities in the form of digital signatures and certificates.
To all the crypto engineers out there, have you ever thought of a PKI implementation with minimalistic configuration and a fully scalable feature set comprising of all the benefits which Cloud implementation has to offer?
Welcome to AWS Certificate Manager Private Certificate Authority (ACM PCA). ACM PCA offers almost all the same features provided by On-prem PKI providers.
Let’s understand the PKI offerings from AWS
AWS offers two services in the Cloud PKI space:
- Private Cloud: In this environment, both the Root CA and Subordinate CA exist in the AWS Cloud.
- Hybrid Cloud: In this environment, the Root CA exists in an On-prem data center, whereas the Subordinate CA is in the AWS Cloud. This requires you to have the Root CA (On-prem) sign the CSR for the Subordinate CA in the AWS Cloud.
Let’s deep dive more on the ACM PCA Service:
With ACM Private CA, you can create a hierarchy of certificate authorities with up to five levels i.e. the root CA, at the top of a hierarchy tree can have as many as four levels of subordinate CAs. You may create multiple hierarchies, each with its own root as well.
The ACM PCA can issue X.509 end-entity certificates for creating encrypted channels, authenticating users, computers, API endpoints, and IoT devices, code signing scenarios and also implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status.
As mentioned, ACM PCA provides X.509 certificates to the end-entity; if AWS Certificate Manager issues a private certificate, the certificate can be associated with any service that is integrated with ACM (e.g. Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway etc.). This is applicable in both scenarios, like the Root CA can be in the AWS Cloud or not, but, the Subordinate CA can only be in the AWS Cloud. Also, if you use the ACM Private CA API or AWS CLI to issue/export a private certificate from ACM, you can install the certificate anywhere depending upon your use-case.
After provisioning the ACM private CA, you can directly issue certificates without having any validation requirement from any third-party CA and as per the customization for your enterprise internal needs. A few of the standard use-cases are:
- Provision certificates with any subject name/ expiration timeline.
- Improving the uptime through the automated workflows for certificate management
- Restraint certificate issuance using templates.
As a final note, I would like to draw your attention to some of the best practices to effectively use ACM PCA:
- Logical explanation of your PKI Infrastructure (placement of CAs)
- Document policy procedures for validity periods/ path length
- Keep your private key secure and avoid any form of compromise
- Keep your PKI certificate management updated. Revoke certificates when necessary, clear out old/unused certificates, and formulate a documented procedure for certificate renewals and expirations.