I can't view the shared AWS Private Certificate Authority in the AWS Private CA console. Or, when I install a subordinate certificate authority (CA), I receive the following error: "No suitable private CA could be found".
Resolution
To find a shared AWS Private CA in the AWS Private CA console, sign the certificate signing request (CSR) for your AWS Private CA. Then, import the signed CA certificate into AWS Private CA.
This resolution uses the following configurations:
- AWS account A owns one private CA (PCA-A).
- AWS account B owns another private CA (PCA-B).
- PCA-A is the parent CA of PCA-B.
- Account A uses AWS Resource Access Manager (AWS RAM) to share PCA-A with account B.
- Account B sets up PCA-B.
Get a CSR from AWS Private CA
To get a CSR from AWS Private CA, use the AWS Command Line Interface (AWS CLI) or the AWS Private CA console.
AWS CLI
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Run the get-certificate-authority-csr command:
$ aws acm-pca get-certificate-authority-csr \
--certificate-authority ${ARN_PCA_B} \
--output text \
--no-cli-pager
Note: Replace ${ARN_PCA_B} with your certificate's ARN.
AWS Private CA console
Complete the following steps:
- Open the AWS Private CA console.
- Select your subordinate CA.
- Choose Actions, and then choose Install CA Certificate.
- To get the CSR, choose External private CA. The CSR is the text between BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST.
- Save the CSR as a text file (csr.txt).
Sign the CSR with the parent CA to create a CA certificate
Use your parent CA to sign the CSR for the private CA. You must specify a template. If you don't specify a template, then you get an EE certificate (CA:FALSE) that the CA can't use. For more information, see Understanding certificate templates.
To sign a certificate that's CA:TRUE, specify a template for the subordinate CA, and then run the following command:
$ ARN_CA_TEMPLATE=arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1
$ aws acm-pca issue-certificate \
--certificate-authority-arn ${ARN_PCA_A} \
--csr fileb://csr.txt \
--signing-algorithm "SHA256WITHRSA" \
--validity Value=1825,Type="DAYS" \
--template-arn ${ARN_CA_TEMPLATE}
In the preceding command, replace the following values with your values:
- arn:aws:acm-pca:::template/SubordinateCACertificate_PathLen0/V1 with your CA template.
- ${ARN_PCA_A} with the ARN of the parent CA.
- csr.txt with your CSR text file.
Note: If you use AWS CLI version 1.6.2 or earlier, then use the file:// prefix when you enter the input file.
- SHA256WITHRSA with your signing algorithm.
- 1825 with the number of days that you want the certificate to be valid.
- ${ARN_CA_TEMPLATE} with your template ARN.
Note: To sign the CSR with account B, you might need additional permissions. Use AWS RAM managed permissions for account A to add AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority.
After you sign the CSR, you receive the following response:
{
"CertificateArn": "${ARN_PCA_A}/certificate/${SERIAL_of_Cert}"
}
Note the ARN for the signed CA certificate to use in the next step.
Get the CA certificate
Run the following command:
$ aws acm-pca get-certificate \
--certificate-authority-arn ${ARN_PCA_A} \
--certificate-arn ${ARN_PCA_A}/certificate/${SERIAL_of_Cert} \
--output text \
--no-cli-pager
Note: Replace $(ARN_PCA_A} with the ARN of your parent CA and ${ARN_PCA_A}/certificate/${SERIAL-of-Cert} with the ARN of the signed CA certificate.
You receive the following certificate body and chain:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIRAOn36lnqs4DTjbdZK3GoRLwwDQYJKoZIhvcNAQELBQAw
IDEeMBwGA1UEAwwVbXktUk9PVC1DQS0yMDI0LTA1LTExMB4XDTI0MDUxMTA1MjMz
N1oXDTI0MDUxNzA2MjMzN1owHzEdMBsGA1UEAwwUbXktU1VCLUNBLTIwMjQtMDUt
(SNIP)
q02OPtAOrFyWSdrc+5LMZaZzeo6xe0Mw2mJHU8FKl66V2CE+MBbUdwqWN1kOWdTs
U+FhS5IV4KeST0X+lfYh3SkR+0dZBU5arV13w5MATgEYc1D9GajC25MT7Zy4t/NP
zddAJA==
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIRAMQmowipJbQz3jok7kFkPSswDQYJKoZIhvcNAQELBQAw
IDEeMBwGA1UEAwwVbXktUk9PVC1DQS0yMDI0LTA1LTExMB4XDTI0MDUxMTA1MTkx
OVoXDTI0MDUxODA2MTkxOVowIDEeMBwGA1UEAwwVbXktUk9PVC1DQS0yMDI0LTA1
(SNIP)
2wZ6JqUvN/FyWVKTfyNay/KbQkYQZrclrb7N+zmOJ4LTQnI2firIDYqcqmduYuX9
U8F3MFXrVJFECyn5t+4Qxc/BWJPVAoHnEns+jL5tOJfRKblKHs9VAe02gUcr5/p3
qSy6CwOSAA6fkmZCkVjVvYo=
-----END CERTIFICATE-----
The certificate body is between the first BEGIN CERTIFICATE and the first END CERTIFICATE. The certificate chain is between the second BEGIN CERTIFICATE and the second END CERTIFICATE. Save the certificate body as a text file that's named cert.txt. Save the certificate chain as a text file that's named cert_chain.txt.
Import and install the signed CA certificate and chain into the CA
To install the signed certificate, you can use AWS CLI or the AWS Private CA console.
AWS CLI
Run the following command and attach the certificate body and certificate chain:
$ aws acm-pca import-certificate-authority-certificate \
--certificate-authority-arn ${ARN_PCA_B} \
--certificate fileb://cert.txt \
--certificate-chain fileb://cert_chain.txt
Note: Replace ${ARN_PCA_B} with the ARN of your private CA.
AWS Private CA console
Complete the following steps:
- Open the AWS Private CA console.
- Select your subordinate CA.
- Choose Actions, and then choose Install CA Certificate.
- Choose External private CA.
- Under Import a signed certificate authority (CA), enter the certificate body and chain values.
The subordinate CA status is now Active.