Skip to main content

AWS Private CA

Link DigiCert​​®​​ Trust Lifecycle Manager to your AWS account to import, enroll, and manage certificates from certificate authorities in AWS Private CA.

Before you begin

  • You need an active DigiCert sensor to establish and manage the connection to your Amazon AWS account. To learn more, see Deploy and manage sensors.

  • Gather the access credentials for your AWS account where AWS Private CA is set up and make sure it's configured with the minimum required AWS permissions. See step 5 below for available authentication methods you can use to connect to AWS.

Minimum required AWS permissions

Your AWS account needs these permissions to enable the integration with Trust Lifecycle Manager.

Permission

Purpose

AWS Private CA

acm-pca:ListCertificateAuthorities

Fetch available certificate authorities (CAs) from AWS Private CA.

acm-pca:IssueCertificate

Issue certificates via CAs in AWS Private CA.

acm-pca:GetCertificate

Get certificate data from AWS Private CA.

acm-pca:RevokeCertificate

Revoke AWS Private CA certificates.

acm-pca:CreateCertificateAuthorityAuditReport

Generate AWS Private CA audit reports to use for discovery.

AWS S3

s3:CreateBucket

Create an S3 bucket if needed to store CA audit reports during discovery.

s3:GetObject

Download CA audit reports to use for discovery.

s3:DeleteObject

Remove CA audit reports from the S3 bucket when no longer needed for discovery.

Add AWS Private CA connector

  1. From the Trust Lifecycle Manager main menu, select Integrations > Connectors.

  2. Select the Add connector button.

  3. In the Certificate authorities section, select the tile for AWS Private CA.

    Complete the resulting form as described in the following steps.

  4. Configure the general connector properties in the top section of the form:

    • Name: Assign a friendly name to this connector.

    • Business unit: Select a business unit for this connector. Only users assigned to this business unit can manage the connector.

    • Managing sensor: Select an active DigiCert sensor to manage the integration.

  5. Configure the AWS access details in the Link account section:

    • Account ID: Enter your AWS account ID number.

    • AWS region: Enter the AWS region for your AWS Private CA deployment.

    • Authentication method: Select one of three possible methods for authenticating AWS.

      • Self authentication: Use your Access key ID and Secret access key.

      • Default AWS credential provider chain: Use a temporary credential provider chain. See Credentials chain.

      • AWS profile name: Use the Profile name for AWS.

  6. Fill out the Import attributes section if you want to import existing certificates from AWS Private CA:

    • Import certificates from this connector: Select whether to import certificates or not. If importing, select options for which certificates to import.

    • Amazon S3 bucket name: Enter the name of an existing S3 bucket or enter a new bucket name and select the option to create it. The S3 bucket is used as interim storage before importing certificates into Trust Lifecycle Manager.

      Opmerking

      The S3 bucket must be in the same AWS region as your linked AWS Private CA deployment. S3 bucket names must be globally unique. If creating the S3 bucket, choose a name that is not likely to be exist in a different account.

    • Business unit: Optionally assign a business unit to imported certificates. Only users assigned to this business unit can manage the imported certificates.

    • Tags: Optionally assign tags to imported certificates to help categorize and manage them.

    • Schedule import frequency: Select scheduling options for ongoing import operations. Enter a value and select units (minutes, hours, or weeks) for how often to import certificates from AWS.

      Opmerking

      The minimum allowed import frequency for an AWS Private CA connector is every 30 minutes.

  7. Select Add to create the AWS Private CA connector with the configured settings.

Issue certificates

Use the following base template to create certificate profiles in Trust Lifecycle Manager for enrolling private certificates from the CAs in a connected AWS account.

Template name

Seat type

Enrollment methods

AWS Private CA Server Certificate

Certificate management

  • Admin web request

  • DigiCert agent

  • DigiCert sensor

  • 3rd-party ACME client

In the certificate profile, select an enrollment method based on how you want to deploy the AWS-issued certificates:

What's next

  • Monitor and manage certificates from your Inventory page in Trust Lifecycle Manager.

  • Go to the Integrations > Connectors page to view, check status, or manage a connector.

  • Select one of the View actions for a connector to load a pre-filtered inventory list of digital trust assets associated with it.

In deze sectie: