Skip to main content

AWS Private CA

Link DigiCert​​®​​ Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from AWS Private CA certificate authorities.

Before you begin

You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.

Add AWS Private CA connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the tile for AWS Private CA.

    Complete the resulting form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Configure the AWS access details in the Link account section:

    • Account ID: Enter your AWS account ID number.

    • AWS region: Enter the AWS region for your AWS Private CA deployment.

    • Authentication method: Select one of three possible methods for authenticating AWS.

      • Self authentication: Use your Access key ID and Secret access key.

      • Default AWS credential provider chain: Use a temporary credential provider chain. See Credentials chain.

      • AWS profile name: Use the Profile name for AWS.

  6. Fill out the Import attributes section if you want to import existing certificates from AWS Private CA:

    • Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.

    • Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.

      Note

      The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be exist in a different account.

    • Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.

    • Tags: Optionally assign tags to imported certificates to help categorize and manage them.

    • Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.

      Note

      The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.

  7. Select Add to create the AWS Private CA connector with the configured settings.

Issue certificates

Use the following base template to create certificate profiles in Trust Lifecycle Manager for enrolling private certificates from the CAs in a connected AWS account.

Template name

Seat type

Enrollment methods

AWS Private CA Server Certificate

Certificate management

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

In the certificate profile, select an enrollment method based on how you want to deploy the AWS-issued certificates:

What's next

  • Monitor and manage AWS Private CA certificates from your Inventory page.

  • Go to the Integrations > Connectors page in Trust Lifecycle Manager to view, check status, or manage a connector.

  • Select one of the View actions for a connector to load a pre-filtered inventory list of digital trust assets associated with it.

In this section: