Integrating Amazon Certificate Manager with Venafi

Use Venafi's AWS Certificate Manager (ACM) driver to integrate with the Amazon Web Services (AWS) ecosystem to better secure your machine identities.

ACM is designed to simplify certificate acquisition and administrative processes by generating and storing keys, CSRs and certificates internally.

You can use the Venafi ACM driver to manage both public and private (external and internal) certificates across multiple regions.

Before you start

Before you can issue private certificates, you need to create a private CA within each region where you want to issue and revoke private digital certificates.

When you request a public ACM certificate, you only need to specify valid names: a Common Name, and any number of DNS Subject Alternative Names. Other settings that are generally relevant to key and CSR generation are not applicable when using ACM. To learn more about ACM, see https://aws.amazon.com/certificate-manager/.

DID YOU KNOW?  Venafi Trust Protection Platform™ can request and retrieve certificates from ACM, and also from Amazon Private CAs. This enables your organization to support those certificates using essentially the same processes you have used for other certificate authorities.

DID YOU KNOW?   Certificates issued by the Amazon CA are also renewed by the Amazon CA automatically if they are in use by an AWS application. Therefore, it isn't necessary for Trust Protection Platform to do any further lifecycle management for those certificates (SSL/TLS Validation should be used to ensure that Amazon renewed the certificate automatically, as expected).

However, if the Amazon CA renews the certificate automatically, the renewed certificate will then have to be imported into Trust Protection Platform. Amazon starts the renewal process 60 days before the certificate expires; then, in some cases, domain control validation (DCV) processes can delay its completion by a few days. When Trust Protection Platform attempts to renew the certificate, Amazon returns the current version of the certificate—the one with exactly the same CN and DNS SANs—if it exists.

If this chain of events occurs before 60 days from expiration, there will be no change in the certificate despite having completed the enrollment lifecycle; but if it happens after Amazon has completed the renewal of the certificate, then Trust Protection Platform retrieves the new certificate.

To avoid this issue, you should adjust your ACM-issued certificate settings this way:

  • Set the Disable Automatic Renewal setting to No (disabled).
  • Add an additional week to the Renewal Window (about 7 days, or approximately 53 days total) to give the DCV process time to complete before the renewal process starts.

For more information, refer the following Amazon FAQ:

https://aws.amazon.com/certificate-manager/faqs

Ready to go?

From a high level, here are the key steps we'll take to integrate AWS with Venafi Trust Protection Platform:

Step 1: Verify that your Amazon account is ready to go

First things first

Make sure that you have the correct permissions specified in your AWS policy and the AWS role that you'll use with Venafi Trust Protection Platform.

{

 

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"acm:RequestCertificate",

"acm:GetCertificate",

"acm:DeleteCertificate",

"acm:ImportCertificate",

"acm:ListCertificates",

"ec2:DescribeInstances"

"acm-pca:ListCertificateAuthorities",

"acm-pca:GetCertificateAuthorityCertificate",

"acm-pca:GetCertificate",

"acm-pca:IssueCertificate",

"acm-pca:RevokeCertificate",

],

 

"Resource": "*"

}

]

}

You can remove specific features that you don't plan to use by simply omitting lines from the policy. For example, if you know that you will not be using ACM, delete any actions that start with "acm:".

 

Step 2: Set up an Amazon Private CA (Optional)

If you're going to use an Amazon Private CA to generate private digital certificates, then you'll need to complete the following tasks in Amazon Certificate Manager. (ACM).

  1. Create and configure an Amazon Private CA within a specific region, if you've not already done so.

    Be sure to note the region because you'll need that information when configuring Venafi's Amazon AWS driver.

  2. Update the AWS policy to give permissions to the Private CA (see Integrating Amazon Certificate Manager with Venafi in the section above).

  3. Give the AWS role you'll use with Venafi's Amazon Credential(a step you'll complete later) permission to the Private CA.

 

Step 3: Create an Amazon Credential

In Trust Protection Platform, create an Amazon credential and specify the AWS role that has permissions to the private CA in ACM. The AWS role used by the Amazon credential in Trust Protection Platform must have access to the Private CA.

To create an Amazon Credential

  1. From the TLS Protect menu bar, click Inventory > Credentials, and then click Create a New Credential.

  2. Click the Credential Type list and select Amazon.

  3. Click Folder and select the policy folder in which to create your new credential.

  4. In Credential Name, type a unique name for the new credential object, and then click Create and Configure.

  1. Click the Source list and select Local, EC2 Assigned Role, or ADFS, depending on which authentication method you need.

  2. (Conditional) If you selected Local from the Source list, then do the following:

    1. Type a password in the Access Key and Secret Key fields, respectively.

      You'll be required to retype them in each of the confirmation fields.

    2. (Optional) If you plan to use this new Amazon Credential to access multiple AWS accounts (using cross-accounts), then in Role Name or Role to Assume, type just the AWS role name you've set up in AWS (no need to enter the entire ARN).

      If you are using cross-accounts, see Authenticating to multiple AWS accounts using a single Amazon Credential.

    3. In cases where you need an External ID, you can type it here in the External ID field.

      The primary function of External ID is to address and prevent the "confused deputy" issue. The External ID makes it less likely that a non-Trust Protection Platform user can access the other AWS account. Without the External ID protection, any IAM user within the AWS account where the Trust Protection Platform user resides, would be able to access the other AWS accounts simply by knowing the name of the role in the other account. 

      When applying account credentials to provision a certificate, Amazon requires an External ID. The value must have a minimum of 2 characters and a maximum of 1,224 characters. The value must be alphanumeric without white spaces. It can also include the following symbols: plus (+), equal (=), comma (,), period (.), at (@), colon (:), forward slash (/), and hyphen (-).

      For more information, visit Amazon's article, How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.

    4. When you're finished, click Save.

  3. (Conditional) If you selected ADFS from the Source drop-down list, then do the following:

    1. In the ADFS Username Credential field, select an Amazon credential.

      If you haven't yet created a user name credential for use with Amazon, click Create New Credential to define a new one, and then continue.

    2. In the Web Service URL field, type the full URL of your ADFS server.

    3. From the Role list, select the account that has the required permissions.

      DID YOU KNOW?  Each of the roles that appear in the Role list uses the following format:

      arn:aws:iam::AWSAccountNumber:role/RoleMappedToADgroupByADFS

      So, for example:

      arn:aws:iam::123423455678:role/MYCO-VenafiTPP

      For more information about setting up your federated sign-in through Active Directory (AD) and ADFS, visit https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/.

    4. When you're finished, click Save.

  4. (Conditional) If you selected EC2 Assigned Role from the Source drop-down list, just click Save to finish.

    When you select this option, Trust Protection Platform authenticates with permissions that are assigned to the EC2 server on which it is running.

    IMPORTANT  If you don't see this mode in the Source list, you don't have the proper permissions to use it. You must be either a master administrator, or you must request that you be added to the authorized identities list for using the AWS EC2 Assigned Role. To continue, contact a master administrator. See Authorizing the use of EC2 Assigned Role for Amazon credentials.

For additional information, see Creating Amazon credentials.

Step 4: Create and configure an AWS Certificate Manager CA template

To enable Trust Protection Platform to manage certificates issued by Amazon for use by AWS applications, you must create an AWS Certificate Manager CA template object.

What's a CA template object? ClosedClick Me:ClosedCA templates provide Trust Protection Platform with the information it needs to request, retrieve and retire certificates issued by the Amazon CA.

To create and configure an Amazon Certificate Manager CA template

  1. From the TLS Protect menu bar, click Policy Tree.
  2. From the Tree drop-down menu, click Policy.
  3. In the Policy tree, select the folder where you want to create the CA Template object, and then click Add.
  4. Click CA Template, then select AWS Certificate Manager to create it.
  5. In the CA Name box, type a name for the new AWS Certificate Manager object.

  1. Under Configuration, select the AWS credential you created above (see Step 3: Create an Amazon Credential).

  2. From the Region list, select the region where your AWS application resides.

    For more information about AWS regions, visit http://docs.aws.amazon.com/general/latest/gr/rande.html.

  3. Specify a Certificate trust type by selecting either Public or Private certificate, depending on the type of certificates you want created.

  4. (Conditional) If you selected Public certificate as your certificate trust type, then do the following:

    1. Click Validate.

    2. Under Options, select a Domain Validation Recipient.

      ACM applies standard email-based domain validation requirements before issuing a certificate. Domain validation involves sending an email to a predefined set of administrative recipients (admin, administrator, hostmaster, postmaster, and webmaster) for approval of each of the names in the requested certificate. The email contains a hyperlink that takes the recipient to an approval web page where they click a button to indicate their approval.

      ACM allows the certificate requester to choose any sub-domain within the hierarchy of the requested name for the approver. Trust Protection Platform supports the following recipients. The following examples are applicable for "self.parent.example.com" as the requested name:

      • Second-Level Domain (@example.com)

      • Parent Domain (@parent.example.com)

      • Self Domain (@self.parent.example.com)

      If there are multiple names in a certificate request and some of the names are sub-domains of another, approving the highest level domain serves as approval for all of the sub-domains.

  5. (Conditional) If you selected Private certificate as your certificate trust type, then do the following:

    1. Click Validate.

    2. Under Options, select which private CA to use.

    3. Select Private key and CSR are generated by CA if you want ACM to generate them.

      Clear this box if you want Trust Protection Platform to generate the private key and CSR.

      IMPORTANT  Be sure to verify with Amazon or Venafi regarding any associated costs for generating private keys and CSRs. Pricing models change periodically and you should be aware of the costs before selecting either option.

    4. (Conditional) If you cleared the Private key and CSR are generated by CA checkbox, then you've opted to have Venafi generate them. In this case, do the following:
      1. Select a Template for created the private certificate.
      2. Select the Signature Algorithm to be used when generating the certificate.
      3. Enter a Validity Period (in days).
  6. Click Save.

To see additional attributes, review the settings on the Support tab.