How do I create a CRL for my AWS Private CA?

10 minute read
0

I want to create a certificate revocation list (CRL) for my AWS Private Certificate Authority.

Short description

To create a CRL for your AWS Private CA, complete the following steps:

  • Create a new Amazon Simple Storage Service (Amazon S3) bucket.
  • Create an Amazon CloudFront distribution.
  • Create a certificate authority (CA).
  • Configure a CRL for your CA.
  • Test your CRL.
  • (Optional) Encrypt your CRL with AWS Key Management Service (AWS KMS).

Resolution

AWS Private CA puts the CRL into an Amazon S3 bucket that you designate. Use a permissions policy to restrict access to the S3 bucket. In the bucket policy, include the Put permission to allow AWS Private CA to put objects in the bucket. To retrieve metadata from the bucket, include the Get permission.

For more information, see Access policies for CRLs in Amazon S3.

Note: When you configure a new S3 bucket, Block Public Access (BPA) is activated by default.

Create a new Amazon S3 bucket

Complete the following steps:

  1. Open the Amazon S3 console.
  2. Choose Create bucket.
  3. For Bucket name, enter a name for your bucket.
  4. For Object Ownership, select ACLs disabled, and then choose Create bucket.
  5. For Buckets, select your bucket.
  6. Choose the Permissions tab.
  7. Under Bucket policy, choose Edit.
  8. For Policy, enter the following policy:
    {  "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "PolicyForPcaCrl",
          "Effect": "Allow",
          "Principal": {
            "Service": "acm-pca.amazonaws.com"
          },
          "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
          ],
          "Resource": [
            "arn:aws:s3:::your-crl-storage-bucket/*",
            "arn:aws:s3:::your-crl-storage-bucket"
          ],
          "Condition": {
            "StringEquals": {
              "aws:SourceAccount": "account"
          }
        }
      ]
    }
    Note: Replace your-crl-storage-bucket with your bucket and account with your AWS account.
  9. Choose Save changes.

For more information, see Creating a bucket.

Create a CloudFront distribution

Complete the following steps:

  1. Open the CloudFront console.
  2. Choose Create Distribution.
  3. For Origin domain, choose a domain name that includes the S3 bucket. Use the following naming convention: your-crl-storage-bucket.s3.region.amazonaws.com.
  4. For Origin access, choose Origin access control settings (recommended).
  5. For Origin access controls, choose Create new OAC, and then choose Create.
  6. For Web Application Firewall (WAF), choose Do not enable security protections. If required for your use case, then turn on the security protections.
  7. Choose Create distribution.
  8. After the "The S3 bucket policy needs to be updated" banner appears, choose Copy policy. Then, save the policy.
    Example policy:
    {
      "Version": "2008-10-17",
      "Id": "PolicyForCloudFrontPrivateContent",
      "Statement": [
        {
          "Sid": "AllowCloudFrontServicePrincipal",
          "Effect": "Allow",
          "Principal": {
            "Service": "cloudfront.amazonaws.com"
          },
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::your-crl-storage-bucket/*",
          "Condition": {
            "StringEquals": {
              "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
            }
          }
        }
      ]
    }

Create a CA

If you already used AWS Private CA to create a CA, then proceed to Configure a CRL for your CA.

Complete the following steps:

  1. Open the AWS Private CA console in your AWS Region.
  2. Choose Create a private CA.
  3. Configure the following CA parameters:
    Important: After you create your CA, you can't update Mode, CA type, Subject distinguished name, and Key algorithm.
    For Mode, select General-purpose.
    For CA type options, select Root.
    For Subject distinguished name options, enter a name for your CA, and then configure the other fields.
    For Key algorithm options, select RSA 2048.
    For Certificate revocation options, clear CRL and OCSP.
    For CA permissions options, select Authorize ACM access to renew certificates requested by this account.
  4. Select Pricing acknowledgement, and then choose Create CA.
  5. Verify that status of the CA is Pending certificate.
  6. Under Actions, choose Install CA certificate.
  7. Configure the Validity and Signature algorithm of the CA certificate.

Configure a CRL for you CA

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Complete the following steps:

  1. Create a CRL configuration JSON file with following content:
    {
      "CrlConfiguration": {
        "Enabled": true,
        "ExpirationInDays": 7,
        "S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL",
        "S3BucketName": "your-crl-storage-bucket"
      }
    }
    Note: Replace your-crl-storage-bucket with your bucket name. You can also update the value for ExpirationInDays to change the validity period of the CRL.
  2. Update your bucket policy to allow AWS Private CA to publish a CRL file in your bucket:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "PolicyForPcaCrl",
          "Effect": "Allow",
          "Principal": {
            "Service": "acm-pca.amazonaws.com"
          },
          "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
          ],
          "Resource": [
            "arn:aws:s3:::your-crl-storage-bucket/*",
            "arn:aws:s3:::your-crl-storage-bucket"
          ],
          "Condition": {
            "StringEquals": {
              "aws:SourceAccount": "account",
              "aws:SourceArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
            }
          }
        }
      ]
    }
    Note: Replace your-crl-storage-bucket with your bucket, region with your Region, account with your account, and CA_ID with the CA ID.
  3. Update the policy that you copied when you created your CloudFront distribution to allow the CloudFront distribution to get the CRL file:
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "PolicyForPcaCrl",
          "Effect": "Allow",
          "Principal": {
            "Service": "acm-pca.amazonaws.com"
          },
          "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetBucketAcl",
            "s3:GetBucketLocation"
          ],
          "Resource": [
            "arn:aws:s3:::your-crl-storage-bucket/*",
            "arn:aws:s3:::your-crl-storage-bucket"
          ],
          "Condition": {
            "StringEquals": {
              "aws:SourceAccount": "account",
              "aws:SourceArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
            }
          }
        },
        {
          "Sid": "AllowCloudFrontServicePrincipal",
          "Effect": "Allow",
          "Principal": {
            "Service": "cloudfront.amazonaws.com"
          },
          "Action": "s3:GetObject",
          "Resource": "arn:aws:s3:::your-crl-storage-bucket/*",
          "Condition": {
            "StringEquals": {
              "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
            }
          }
        }
      ]
    }
    Note: Replace your-crl-storage-bucket with your bucket, region with your Region, account with your account, CA_ID with the CA ID, and DISTRIBUTION_ID with the CloudFront distribution.
    For more information, see Access policies for CRLs in Amazon S3 and Give the origin access control permission to access the S3 bucket.
  4. To update the CA and turn on CRL, run the update-certificate-authority command:
    aws acm-pca update-certificate-authority --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID --revocation-configuration file://revoke_config.json
    Note: Replace region with your Region, account with your account, and CA_ID with your CA ID.

Test your CRL

To verify that your CRL is published and accessible, complete the following steps:

  1. Open the ACM console.
  2. Choose Request a certificate.
  3. Select Request a private certificate, and then choose Next.
  4. Under the Certificate authority, choose your CA.
  5. For Fully qualified domain name, enter your domain name.
    Note: You don't need domain validation steps for private certificates.
  6. Select I understand that ACM will not be able to renew private certificates issues from this certificate authority without necessary permissions.
  7. Choose Request.
  8. On the private certificate's Details page, confirm that Status is Issued.
  9. Note the private certificate serial number.
  10. To revoke the private certificate, run the revoke-certificate command:
    aws acm-pca revoke-certificate --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID --certificate-serial SERIAL --revocation-reason UNSPECIFIED
    Note: Replace region with your Region, account with your account, CA_ID with your CA ID, and SERIAL with the private certificate's serial number. Replace UNSPECIFIED with a specific revocation reason.
    When you run this command, AWS CloudTrail records a RevokeCertificate event.
  11. Open the Amazon CloudWatch console.
  12. Choose All metrics, and then choose ACMPrivateCA.
  13. Choose PrivateCAMetrics.
  14. Review the CRLGenerated metrics for your CA. The metrics' data point is recorded after the eventTime of the RevokeCertificate event.
    Note: CRL files update approximately 30 minutes after a revocation. For more information, see Setting up a certificate revocation method.
  15. Use the CloudFront distribution to access the CRL file.
    Example URL:
    https://example.cloudfront.net/crl/CA_ID.crl
    Note: Replace example with your CloudFront distribution domain name, and CA_ID with your certificate ID. You can find distribution's domain name in the CloudFront console.
  16. Download and review the CRL file to verify that the revoked serial number is in the command's output.

(Optional) Encrypt your CRL with AWS KMS

You can turn on server-side encryption with AWS KMS (SSE-KMS) on the bucket that contains your CRL. AWS Private CA doesn't support CRL file encryption for AWS managed keys. Instead, you must create a customer-managed KMS key. For more information about SSE-KMS in Amazon S3, see Using server-side encryption with AWS KMS keys (SSE-KMS).

Complete the following steps:

  1. Open the AWS KMS console in the same Region as your S3 bucket.
  2. Choose Customer managed key, and then choose Create key.
  3. Under Configure key, keep the default values, and then choose Next.
  4. Under Add labels, for Alias enter a key alias and for Description enter a description.
  5. For Define key administrative permissions, enter your current AWS Identity and Access Management (IAM) user or role, and then choose Next.
  6. For Define key usage permissions, choose Next.
  7. Confirm your configuration, and then choose Finish.
  8. Under Customer Managed Keys, select your AWS KMS key.
  9. Under Key policy, choose Switch to policy view.
  10. Choose Edit.
  11. Enter a new key policy for CRL encryption and distribution.
    For a key policy with the bucket key activated, enter the following policy:
    {
      "Id": "key-consolepolicy-bucket-key-enabled",
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Enable IAM User Permissions",
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::account:root"
          },
          "Action": "kms:*",
          "Resource": "*"
        },
        {
          "Sid": "Allow access for Key Administrators",
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::account:role/your-role-name",
              "arn:aws:iam::account:user/your-user-name"
            ]
          },
          "Action": [
            "kms:Create*",
            "kms:Describe*",
            "kms:Enable*",
            "kms:List*",
            "kms:Put*",
            "kms:Update*",
            "kms:Revoke*",
            "kms:Disable*",
            "kms:Get*",
            "kms:Delete*",
            "kms:TagResource",
            "kms:UntagResource",
            "kms:ScheduleKeyDeletion",
            "kms:CancelKeyDeletion",
            "kms:RotateKeyOnDemand"
          ],
          "Resource": "*"
        },
        {
          "Sid": "Allow ACM-PCA use of the key",
          "Effect": "Allow",
          "Principal": {
            "Service": "acm-pca.amazonaws.com"
          },
          "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt"
          ],
          "Resource": "*",
          "Condition": {
            "StringLike": {
              "kms:EncryptionContext:aws:s3:arn":"arn:aws:s3:::your-crl-storage-bucket"
            }
          }
        },
        {
          "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
          "Effect": "Allow",
          "Principal": {
            "Service": "cloudfront.amazonaws.com"
          },
          "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GenerateDataKey*"
          ],
          "Resource": "*",
          "Condition": {
            "StringEquals": {
              "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
            }
          }
        }
      ]
    Note: Replace account with your account, your-role-name with your IAM role, your-user-name with your IAM user, your-crl-storage-bucket with your bucket, and DISTRIBUTION_ID with your CloudFront distribution.
    For a key policy without an activated bucket key, replace the values for the kms:EncryptionContext:aws:s3:arn condition key with specific object keys.
    For more information, see Encrypting Your CRLs.
  12. Choose Save changes.
  13. Open the Amazon S3 console.
  14. Select your bucket, and then choose Properties.
  15. Under Default encryption, choose Edit.
  16. Enter the following encryption parameters:
    For Encryption type, select Server-side encryption with AWS Key Management Service keys (SSE-KMS).
    For AWS KMS key, enter the Amazon Resource Name (ARN) of your AWS KMS key.
    For Bucket key, select Enable for a key policy with the bucket key activated and Disable for a key policy with an inactivated bucket key.
  17. Choose Save changes.
  18. To verify that you updated the CRL files, complete the steps in the Test your CRL section.
  19. To verify that the CRL files are correctly encrypted, run the head-object command:
    aws s3api head-object --bucket your-crl-storage-bucket --key crl/CA_ID.crl
    Note: Replace your-crl-storage-bucket with your bucket, and CA_ID with your CA ID.
  20. Review the SSEKMSKeyId and BucketKeyEnabled fields to verify your encryption settings.

Related information

Planning a certificate revocation list (CRL)

How to securely create and store your CRL for ACM Private CA

Security best practices for Amazon S3

ACM Private CA best practices

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago