This Gist is based on Self Signed Certificate with Custom Root CA gist.
It adds the use of AWS KMS to generate and decrypt the Root CA private key, so that this key does not need to be stored in plaintext. Instead, the key is stored encrypted, and is being decrypted using AWS KMS only when needed.
Create symmetic CMK (customer-managed key) and give it an alias of alias/root-ca-encrypting-key
that will be used later
to reference to it:
aws kms create-key --description "Root CA encrypting key"
aws kms create-alias \
--alias-name "alias/root-ca-encrypting-key" \
--target-key-id "<key ID from create-key above>"
Source: create-key, create-alias
Create the key used to sign the certificates by our custom Root CA:
aws kms generate-data-key-pair-without-plaintext \
--key-id "alias/root-ca-encrypting-key" \
--key-pair-spec RSA_4096
The value of PrivateKeyCiphertextBlob
in the output JSON contains Base64-encoded, CMK-encrypted key of our custom Root
CA.
Let's assume it was saved to encryptedRootCA.key
file.
To get the plaintext value of the Root CA key the following commands will be used in the sections below:
aws kms decrypt \
--ciphertext-blob fileb://encryptedRootCA.key \
--key-id "alias/root-ca-encrypting-key" \
--output text \
--query Plaintext \
| base64 --decode
This will print the key in binary format to standard output that can be then consumed by referencing file /dev/stdin
and specifying the key form as DER -keyform der
.
Source: generate-data-key-pair-without-plaintext, decrypt
Generate our custom Root CA certificate:
aws kms decrypt \
--ciphertext-blob fileb://encryptedRootCA.key \
--key-id "alias/root-ca-encrypting-key" \
--output text \
--query Plaintext \
| base64 --decode \
| openssl req -x509 -new -nodes -sha256 -days 1024 -out rootCA.crt \
-key /dev/stdin -keyform der \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=My Root CA"
The first 2 commands decrypt our custom Root CA key using KMS and then pass it, using standard output, to openssl
that reads it from /dev/stdin
. The final command generates rootCA.crt
file that contains our custom Root CA certificate.
openssl genrsa -out mydomain.com.key 2048
openssl req -new -sha256 -key mydomain.com.key -out mydomain.com.csr \
-subj "/C=US/ST=CA/O=MyOrg, Inc./CN=mydomain.com"
aws kms decrypt \
--ciphertext-blob fileb://encryptedRootCA.key \
--key-id "alias/root-ca-encrypting-key" \
--output text \
--query Plaintext \
| base64 --decode \
| openssl x509 -req -in mydomain.com.csr \
-CA rootCA.crt -CAkey /dev/stdin -CAkeyform der \
-CAcreateserial -out mydomain.com.crt -days 500 -sha256
The command generates mydomain.com.crt
certificate that was issued by our custom Root CA.
Hi. The steps here is for Symmetric keys. Can we use asymmetric keys and create a self signed certificate.
As per the documentation , generate-data-key-pair-without-plaintext does not work for Asymmetric keys.