AWS Private CA

Link DigiCert® Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from certificate authorities in AWS Private CA.

Before you begin

You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.
Make sure the sensor system is configured with your AWS credentials or that you have the AWS access key and secret key on hand to use to configure the connector, as described in the Available AWS authentication methods section.
Make sure the AWS credentials you use to connect are for an AWS account that includes the permissions listed in the Minimum required AWS permissions section.

Available AWS authentication methods

When configuring an AWS Private CA connector in Trust Lifecycle Manager, you can use one of the below authentication methods to provide your AWS account credentials.

Authentication method	Configuration parameters	Description
Self-authentication	Access key Secret key	Enter the AWS credentials on the connector configuration page in Trust Lifecycle Manager.
Default AWS credential provider chain	—	Use the default AWS credentials on the managing DigiCert sensor, as configured in one of the following ways: Environment variables: Configure the AWS credentials as environment variables on the sensor system, as described in the official AWS documentation. Default profile: Add the AWS credentials to the default profile in the AWS config and credentials files on the sensor system, as described in the official AWS documentation.
AWS profile name	Profile name	Use the AWS credentials from a named profile in the local AWS config and credentials files on the managing sensor, as described in the official AWS documentation. For the Profile name parameter, enter the name of the AWS profile to use on the sensor system.

Minimum required AWS permissions

Your AWS account needs these permissions to enable the integration with Trust Lifecycle Manager.

Permission	Purpose
AWS Private CA
`acm-pca:ListCertificateAuthorities`	Fetch available certificate authorities (CAs) from AWS Private CA.
`acm-pca:IssueCertificate`	Issue certificates via CAs in AWS Private CA.
`acm-pca:GetCertificate`	Get certificate data from AWS Private CA.
`acm-pca:RevokeCertificate`	Revoke AWS Private CA certificates.
`acm-pca:CreateCertificateAuthorityAuditReport`	Generate AWS Private CA audit reports to use for discovery.
AWS S3
`s3:CreateBucket`	Create an S3 bucket if needed to store CA audit reports during discovery.
`s3:GetObject`	Download CA audit reports to use for discovery.
`s3:DeleteObject`	Remove CA audit reports from the S3 bucket when no longer needed for discovery.

Add AWS Private CA connector

From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
In the Certificate authorities section, select the tile for AWS Private CA.
Complete the form as described in the following steps.
Configure the general connector properties in the top section of the form:
- Name: Assign a friendly name to this connector.
- Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.
- Managing sensor: Select an active DigiCert sensor to manage the integration.
Configure the AWS access details in the Link account section:
- Account ID: Enter your AWS account ID number.
- AWS region: Enter the AWS region for your AWS Private CA deployment.
- Authentication method: Select one of three possible methods for authenticating your AWS account, as described in the Available AWS authentication methods section.
Fill out the Import attributes section if you want to import existing certificates from AWS Private CA:
- Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.
- Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.
  Note
  The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be exist in a different account.
- Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.
- Tags: Optionally assign tags to imported certificates to help categorize and manage them.
- Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.
  Note
  The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.
Select Add to create the AWS Private CA connector with the configured settings.

Issue certificates

Use the following base template to create certificate profiles in Trust Lifecycle Manager for enrolling private certificates from the CAs in a connected AWS account.

Template name	Seat type	Enrollment methods
`AWS Private CA Server Certificate`	Certificate management	Admin web request DigiCert agent DigiCert sensor 3rd-party ACME client

In the certificate profile, select an enrollment method based on how you want to deploy the AWS-issued certificates:

What's next

Monitor and manage certificates from your Inventory page in Trust Lifecycle Manager.
Go to the Integrations > Connectors page to view, check status, or manage a connector.
Select one of the View actions for a connector to load a pre-filtered inventory list of digital trust assets associated with it.

Dans cette section: