AWS Private CA
Link DigiCert® Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from certificate authorities in AWS Private CA.
Before you begin
You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.
Make sure the sensor system is configured with your AWS credentials or that you have the AWS access key and secret key on hand to use to configure the connector, as described in the Available AWS authentication methods section.
Make sure the AWS credentials you use to connect are for an AWS account that includes the permissions listed in the Minimum required AWS permissions section.
Available AWS authentication methods
When configuring an AWS Private CA connector in Trust Lifecycle Manager, you can use one of the below authentication methods to provide your AWS account credentials.
Minimum required AWS permissions
Your AWS account needs these permissions to enable the integration with Trust Lifecycle Manager.
Permission | Purpose |
---|---|
AWS Private CA | |
| Fetch available certificate authorities (CAs) from AWS Private CA. |
| Issue certificates via CAs in AWS Private CA. |
| Get certificate data from AWS Private CA. |
| Revoke AWS Private CA certificates. |
| Generate AWS Private CA audit reports to use for discovery. |
AWS S3 | |
| Create an S3 bucket if needed to store CA audit reports during discovery. |
| Download CA audit reports to use for discovery. |
| Remove CA audit reports from the S3 bucket when no longer needed for discovery. |
Add AWS Private CA connector
From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
In the Certificate authorities section, select the tile for AWS Private CA.
Complete the form as described in the following steps.
Configure the general connector properties in the top section of the form:
Name: Assign a friendly name to this connector.
Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.
Managing sensor: Select an active DigiCert sensor to manage the integration.
Configure the AWS access details in the Link account section:
Account ID: Enter your AWS account ID number.
AWS region: Enter the AWS region for your AWS Private CA deployment.
Authentication method: Select one of three possible methods for authenticating your AWS account, as described in the Available AWS authentication methods section.
Fill out the Import attributes section if you want to import existing certificates from AWS Private CA:
Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.
Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.
Note
The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be exist in a different account.
Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.
Tags: Optionally assign tags to imported certificates to help categorize and manage them.
Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.
Note
The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.
Select Add to create the AWS Private CA connector with the configured settings.
Issue certificates
Use the following base template to create certificate profiles in Trust Lifecycle Manager for enrolling private certificates from the CAs in a connected AWS account.
Template name | Seat type | Enrollment methods |
---|---|---|
|
|
In the certificate profile, select an enrollment method based on how you want to deploy the AWS-issued certificates:
Admin web request: To request certificates with automated delivery to web servers, Azure key vaults, or AWS Certificate Manager.
DigiCert agent: To install certificates on a web server using a DigiCert agent.
DigiCert sensor: To install certificates on a network appliance or cloud service using a DigiCert sensor.
3rd-party ACME client: To install certificates on a web server using a third-party ACME client like Certbot.