AWS Private CA
Link DigiCert® Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from AWS Private CA certificate authorities.
Before you begin
You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.
Link to your AWS account
From the Trust Lifecycle Manager main menu, select Integrations > Connectors.
Select the Add connector button.
In the Certificate authorities section, select the tile for AWS Private CA.
Fill in the basic properties for the new connector:
Name: Assign a friendly name to this connector.
Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.
Managing sensor: Select the sensor that will manage this connector.
Link account: Enter your AWS access credentials to link to your DigiCert® Trust Lifecycle Manager account:
Account ID: Enter your AWS account ID number.
AWS region: Enter the AWS region for your AWS Private CA deployment.
Authentication method: Select one of three possible methods for authenticating AWS:
Self authentication: Use your Access key ID and Secret access key.
Default AWS credential provider chain: Use a temporary credential provider chain. See Credentials chain.
AWS profile name: Use the Profile name for AWS.
Import attributes: Select options for importing certificates from your Amazon AWS account into DigiCert® Trust Lifecycle Manager to be monitored and managed there:
Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.
Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.
참고
The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be in use in a different account.
Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.
Tags: Optionally assign tags to imported certificates to help categorize and manage them.
Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.
참고
The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.
Select Add to complete the link to the AWS account.
Check status of AWS link
View current connectors to check the status of a linked AWS account:
From the main menu, select Integrations > Connectors.
Check the Status column. If this column does not appear, select table settings at the right side of the table header to add it.
The status should show Active for a linked and active AWS Private CA connector.
Manage AWS connector
To manage an AWS connector in your account:
From the main menu, select Integrations > Connectors.
Hover the connector name and open the actions menu on the right.
Alternatively, select the connector by name to view the details and manage it from there.
Available management functions for the connector include:
Run now: Run the connector service, for example to import certificates from the linked account.
Test connection: Test connectivity to the linked account.
Delete: Unlink from the external account and delete the connector for it.
Issue certificates from AWS Private CAs
To start getting certificates from the private CAs in your AWS account, create a certificate profile based on the AWS Private CA server certificate template in DigiCert® Trust Lifecycle Manager.
In the certificate profile, select from the following enrollment options based on how and where you want to install the AWS-issued certificates:
DigiCert agent: To install certificates on a web server using a DigiCert automation agent.
DigiCert sensor: To install certificates on a network appliance or cloud service using a DigiCert sensor.
3rd-party ACME client: To install certificates on a web server using a third-party ACME client like Certbot.
Revoke AWS-issued certificates
To revoke certificates from AWS Private CAs, go the Inventory page in DigiCert® Trust Lifecycle Manager. See Manage inventory.
Unlink from AWS accounts
To unlink from a linked AWS account, use the connector management functions to Unlink account or Delete the connector for it.