Skip to main content

AWS Private CA

Link DigiCert​​®​​ Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from certificate authorities in AWS Private CA.

Before you begin

  • You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.

  • Make sure the sensor system is configured with your AWS credentials or that you have the AWS access key and secret key on hand to use to configure the connector, as described in the Available AWS authentication methods section.

  • Make sure the AWS credentials you use to connect are for an AWS account that includes the permissions listed in the Minimum required AWS permissions section.

Available AWS authentication methods

When configuring an AWS Private CA connector in Trust Lifecycle Manager, you can use one of the below authentication methods to provide your AWS account credentials.

Minimum required AWS permissions

Your AWS account needs these permissions to enable the integration with Trust Lifecycle Manager.

Permission

Purpose

AWS Private CA

acm-pca:ListCertificateAuthorities

Fetch available certificate authorities (CAs) from AWS Private CA.

acm-pca:IssueCertificate

Issue certificates via CAs in AWS Private CA.

acm-pca:GetCertificate

Get certificate data from AWS Private CA.

acm-pca:RevokeCertificate

Revoke AWS Private CA certificates.

acm-pca:CreateCertificateAuthorityAuditReport

Generate AWS Private CA audit reports to use for discovery.

AWS S3

s3:CreateBucket

Create an S3 bucket if needed to store CA audit reports during discovery.

s3:GetObject

Download CA audit reports to use for discovery.

s3:DeleteObject

Remove CA audit reports from the S3 bucket when no longer needed for discovery.

Add AWS Private CA connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the tile for AWS Private CA.

    Complete the form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Configure the AWS access details in the Link account section:

    • Account ID: Enter your AWS account ID number.

    • AWS region: Enter the AWS region for your AWS Private CA deployment.

    • Authentication method: Select one of three possible methods for authenticating your AWS account, as described in the Available AWS authentication methods section.

  6. Fill out the Import attributes section if you want to import existing certificates from AWS Private CA:

    • Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.

    • Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.

      Nota

      The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be exist in a different account.

    • Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.

    • Tags: Optionally assign tags to imported certificates to help categorize and manage them.

    • Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.

      Nota

      The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.

  7. Select Add to create the AWS Private CA connector with the configured settings.

Issue certificates

Use the following base template to create certificate profiles in Trust Lifecycle Manager for enrolling private certificates from the CAs in a connected AWS account.

Template name

Seat type

Enrollment methods

AWS Private CA Server Certificate

Certificate management

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

In the certificate profile, select an enrollment method based on how you want to deploy the AWS-issued certificates:

What's next

  • Monitor and manage certificates from your Inventory page in Trust Lifecycle Manager.

  • Go to the Integrations > Connectors page to view, check status, or manage a connector.

  • Select one of the View actions for a connector to load a pre-filtered inventory list of digital trust assets associated with it.