By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Using ACM cross-account with ACM PrivateCA in short-lived mode

0

Hi, We have set up ACM PrivateCA in short-lived mode in one account and ACM for requesting and renewing private certs from the PrivateCA in another account. The PrivateCA is shared via RAM and ACM has cross account permissions for requesting and renewing certs. When trying to request a new private cert in ACM, we receive the error message "ACM does not support PrivateCA short-lived mode". We have not found this limitation in any documentation or blog so far. Have we overseen something? How can we use ACM with PrivateCA in short-lived mode? Thanks :)

3 Answers
1

AWS Certificate Manager (ACM) issues certificates with a validity of 13 months i.e. 395 days. This validity period can't be changed. Now, when a CA is created using the SHORT_LIVED_CERTIFICATE mode in AWS Private CA, the CA can only issue certificates with a maximum validity of 7 days. Therefore, ACM will fail to issue private certificates from a PCA created with the SHORT_LIVED_CERTIFICATE mode. This is mentioned in our AWS PCA user guide at https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html#short.

To get certificates from a PCA created with the SHORT_LIVED_CERTIFICATE mode, you must use the AWS PCA API IssueCertificate or CLI command issue-certificate where you can specify the validity of the certificate requested as 7 days or less. Please check the API at https://docs.aws.amazon.com/privateca/latest/APIReference/API_IssueCertificate.html and the CLI command at https://docs.aws.amazon.com/cli/latest/reference/acm-pca/issue-certificate.html.

This API or CLI command would need to be run by an IAM principal in the account where your shared PCA exists. Please note that this IAM principal must have the required AWS PCA permissions attached as the IAM permission policy in addition to the resource based policy provisioned by RAM.

AWS
answered 2 years ago
0

Thanks @AWS-User-4837236. This means, we cannot use an AWS native service for automated renewal with short-lived private certs but would e .g. need to write lambda function(s) doing the job via api, does it? Thanks :)

answered 2 years ago
0

Yes, that is correct. Only ACM issued private certificates are eligible for automatic renewal. Now, since ACM can not issue private certificates from a PCA with SHORT_LIVED_CERTIFICATE mode, the certificates are issued by using the AWS PCA API/CLI (IssueCertificate). And these certificates can not be renewed. You will need to request a new private certificate using the API/CLI when the previous certificate expires.

And yes, you can write lambda functions to invoke the AWS PCA APIs to issue and manage your certificates.

AWS
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions