AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I create a CRL for my AWS Private CA?

9 minute read

I want to create a certificate revocation list (CRL) for my AWS Private Certificate Authority.

Resolution

When you create a CRL, AWS Private CA puts the CRL into an Amazon Simple Storage Service (Amazon S3) bucket that you designate. To restrict access to the S3 bucket, use a permissions policy. To allow AWS Private CA to put objects in the bucket, include the Put permission in the bucket policy. To retrieve metadata from the bucket, include the Get permission.

Note: When you configure a new S3 bucket, Block Public Access (BPA) is activated by default.

To create a CRL for your AWS Private CA, complete the following steps.

Create a new Amazon S3 bucket

Complete the following steps:

Open the Amazon S3 console.
Choose Create bucket.
For Bucket name, enter a name for your bucket.
For Object Ownership, select ACLs disabled, and then choose Create bucket.
For Buckets, select your bucket.
Choose the Permissions tab.
Under Bucket policy, choose Edit.

For Policy, enter the following policy:

{  
"Version": "2012-10-17",  
"Statement": [
    {
      "Sid": "PolicyForPcaCrl",
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-crl-storage-bucket/*",
        "arn:aws:s3:::your-crl-storage-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account"
        }
      }
    }
  ]
}

Note: Replace your-crl-storage-bucket with your bucket and account with your AWS account.

Choose Save changes.

For more information, see Creating a bucket.

Create a CloudFront distribution

Complete the following steps:

Open the Amazon CloudFront console.
Choose Create Distribution.
For Origin domain, choose a domain name that includes the S3 bucket. Use the following naming convention: your-crl-storage-bucket.s3.region.amazonaws.com.
For Origin access, choose Origin access control settings (recommended).
For Origin access controls, choose Create new OAC, and then choose Create.
For Web Application Firewall (WAF), choose Do not enable security protections. If required for your use case, then turn on the security protections.
Choose Create distribution.

After the "The S3 bucket policy needs to be updated" banner appears, choose Copy policy. Then, save the policy.

Example policy:

{
  "Version": "2008-10-17",
  "Id": "PolicyForCloudFrontPrivateContent",
  "Statement": [
    {
      "Sid": "AllowCloudFrontServicePrincipal",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-crl-storage-bucket/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Create a CA

If you already used AWS Private CA to create a certificate authority (CA), then go to Configure a CRL for your CA.

To create a CA, complete the following steps:

Open the AWS Private CA console in your AWS Region.
Choose Create a private CA.
Configure the following CA parameters:
Important: After you create your CA, you can't update Mode, CA type, Subject distinguished name, and Key algorithm.
For Mode, select General-purpose.
For CA type options, select Root.
For Subject distinguished name options, enter a name for your CA, and then configure the other fields.
For Key algorithm options, select RSA 2048.
For Certificate revocation options, clear CRL and OCSP.
For CA permissions options, select Authorize ACM access to renew certificates requested by this account.
Select Pricing acknowledgement, and then choose Create CA.
Verify that the status of the CA is Pending certificate.
Under Actions, choose Install CA certificate.
Configure the Validity and Signature algorithm of the CA certificate.

Configure a CRL for your CA

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Create a CRL configuration JSON file with the following information:

{  
"CrlConfiguration": {
    "Enabled": true,
    "ExpirationInDays": 7,
    "S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL", 
    "CustomCname":"abcdef012345.cloudfront.net",
    "S3BucketName": "your-crl-storage-bucket"
  }
}

Note: Replace your-crl-storage-bucket with your bucket name. You can also update the value for ExpirationInDays to change the validity period of the CRL.

To allow AWS Private CA to publish a CRL file in your bucket, update your bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PolicyForPcaCrl",
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-crl-storage-bucket/*",
        "arn:aws:s3:::your-crl-storage-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account",
          "aws:SourceArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
        }
      }
    }
  ]
}

Note: Replace your-crl-storage-bucket with your bucket, region with your Region, account with your account, and CA_ID with the CA ID.

To allow the CloudFront distribution to get the CRL file, update the policy that you copied when you created your CloudFront distribution:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PolicyForPcaCrl",
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-crl-storage-bucket/*",
        "arn:aws:s3:::your-crl-storage-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account",
          "aws:SourceArn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID"
        }
      }
    },
    {
      "Sid": "AllowCloudFrontServicePrincipal",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::your-crl-storage-bucket/*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Note: Replace your-crl-storage-bucket with your bucket, region with your Region, account with your account, CA_ID with the CA ID, and DISTRIBUTION_ID with the CloudFront distribution.
For more information, see Access policies for CRLs in Amazon S3 and Give the origin access control permission to access the S3 bucket.

To update the CA and turn on CRL, run the update-certificate-authority AWS CLI command:

aws acm-pca update-certificate-authority --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID --revocation-configuration file://revoke_config.json

Note: Replace region with your Region, account with your account, and CA_ID with your CA ID.

Test your CRL

To check that your CRL is published and accessible, complete the following steps:

Open the ACM console.
Choose Request a certificate.
Select Request a private certificate, and then choose Next.
Under the Certificate authority, choose your CA.
For Fully qualified domain name, enter your domain name.
Note: You don't need domain validation steps for private certificates.
Select I understand that ACM will not be able to renew private certificates issues from this certificate authority without necessary permissions.
Choose Request.
On the private certificate's Details page, confirm that Status is Issued.
Note the private certificate serial number.

To revoke the private certificate, run the revoke-certificate AWS CLI command:

aws acm-pca revoke-certificate --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID --certificate-serial SERIAL --revocation-reason UNSPECIFIED

Note: Replace region with your Region, account with your account, CA_ID with your CA ID, and SERIAL with the private certificate's serial number. Replace UNSPECIFIED with a specific revocation reason.
When you run this command, AWS CloudTrail records a RevokeCertificate event.

Open the Amazon CloudWatch console.
Choose All metrics, and then choose ACMPrivateCA.
Choose PrivateCAMetrics.
Review the CRLGenerated metrics for your CA. The metrics' data point is recorded after the eventTime of the RevokeCertificate event.
Note: CRL files update approximately 30 minutes after a revocation. For more information, see Plan your AWS Private CA certificate revocation method.
To access the CRL file, use the CloudFront distribution.

Example URL:
```
https://example.cloudfront.net/crl/CA_ID.crl
```
Note: Replace example with your CloudFront distribution domain name, and CA_ID with your certificate authority ID. You can find the distribution's domain name in the CloudFront console.
To verify that the revoked serial number is in the command's output, download and review the CRL file.

(Optional) Encrypt your CRL with AWS Key Management Service (AWS KMS)

You can turn on server-side encryption with AWS KMS (SSE-KMS) on the bucket that contains your CRL. Note that AWS Private CA doesn't support CRL file encryption for AWS managed KMS keys. You must create a customer managed KMS key. For more information about SSE-KMS in Amazon S3, see Using server-side encryption with AWS KMS keys (SSE-KMS).

Complete the following steps:

Open the AWS KMS console in the same Region as your S3 bucket.
Choose Customer managed key, and then choose Create key.
Under Configure key, keep the default values, and then choose Next.
Under Add labels, for Alias enter a key alias and for Description enter a description.
For Define key administrative permissions, enter your current AWS Identity and Access Management (IAM) user or role, and then choose Next.
For Define key usage permissions, choose Next.
Confirm your configuration, and then choose Finish.
Under Customer Managed Keys, select your AWS KMS key.
Under Key policy, choose Switch to policy view.
Choose Edit.

Enter a new key policy for CRL encryption and distribution.

For a key policy with the bucket key activated, enter the following policy:

{  
"Id": "key-consolepolicy-bucket-key-enabled",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::account:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::account:role/your-role-name",
          "arn:aws:iam::account:user/your-user-name"
        ]
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource",
        "kms:ScheduleKeyDeletion",
        "kms:CancelKeyDeletion",
        "kms:RotateKeyOnDemand"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow ACM-PCA use of the key",
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*",
      "Condition": {
        "StringLike": {
          "kms:EncryptionContext:aws:s3:arn":"arn:aws:s3:::your-crl-storage-bucket"
        }
      }
    },
    {
      "Sid": "AllowCloudFrontServicePrincipalSSE-KMS",
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudfront.amazonaws.com"
      },
      "Action": [
        "kms:Decrypt",
        "kms:Encrypt",
        "kms:GenerateDataKey*"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "AWS:SourceArn": "arn:aws:cloudfront::account:distribution/DISTRIBUTION_ID"
        }
      }
    }
  ]
}

Note: Replace account with your account, your-role-name with your IAM role, your-user-name with your IAM user, your-crl-storage-bucket with your bucket, and DISTRIBUTION_ID with your CloudFront distribution.

To create a key policy without an activated bucket key, replace the values for the kms:EncryptionContext:aws:s3:arn condition key with specific object keys.

Choose Save changes.
Open the Amazon S3 console.
Select your bucket, and then choose Properties.
Under Default encryption, choose Edit.
Enter the following encryption parameters:
For Encryption type, select Server-side encryption with AWS Key Management Service keys (SSE-KMS).
For AWS KMS key, enter the Amazon Resource Name (ARN) of your AWS KMS key.
For Bucket key, select Enable for a key policy with the bucket key activated and Disable for a key policy with an inactivated bucket key.
Choose Save changes.
To verify that you updated the CRL files, complete the steps in the Test your CRL section.

To verify that the CRL files are correctly encrypted, run the head-object AWS CLI command:

aws s3api head-object --bucket your-crl-storage-bucket --key crl/CA_ID.crl

Note: Replace your-crl-storage-bucket with your bucket, and CA_ID with your CA ID.

To verify your encryption settings, review the SSEKMSKeyId and BucketKeyEnabled fields.

Related information

Set up a CRL for AWS Private CA

How to securely create and store your CRL for ACM Private CA

Security best practices for Amazon S3

ACM Private CA best practices

Topics: Security, Identity, & Compliance
Tags: AWS Private Certificate Authority
Language: English

AWS OFFICIALUpdated a year ago

No comments

Relevant content

How do I enable partitioned CRLs in AWS Private CA?
kb-8553632
asked 5 months ago
Does AWS Private CA support indirect CRLs?
Dani
asked 3 years ago
AWS Client VPN Endpoint, AWS Private CA & AWS Certificate Manager
guest_alien
asked 2 years ago
S3 TLS revocation using a private interface endpoint via direct connect
edx
asked 2 years ago
OCSP for Private CA
Accepted Answer
Cheryl
asked 2 years ago
Why do I receive an Amazon S3 GetBucketAcl permission error when I update my AWS Private CA CRL configuration?
AWS OFFICIALUpdated a year ago
Why didn't Client VPN revoke the users that I specified my CRL?
AWS OFFICIALUpdated 3 years ago
How do I configure a certificate revocation list for mTLS in Elastic Load Balancing?
AWS OFFICIALUpdated 2 years ago
How do I use AWS private CA to configure mTLS on the Application Load Balancer?
AWS OFFICIALUpdated 2 years ago
Simplify WorkSpaces Certificate-Based Authentication with AWS Private CA Connector for AWS Managed Microsoft AD
SUPPORT ENGINEER
MinJu_K
published 3 months ago