Integrating Amazon Certificate Manager with Venafi

Use Venafi's AWS Certificate Manager (ACM) driver to integrate with the Amazon Web Services (AWS) ecosystem to better secure your machine identities.

ACM is designed to simplify certificate acquisition and administrative processes by generating and storing keys, CSRs and certificates internally.

You can use the Venafi ACM driver to manage both public and private (external and internal) certificates across multiple regions.

Before you start

Before you can issue private certificates, you need to create a private CA within each region where you want to issue and revoke private digital certificates.

When you request a public ACM certificate, you only need to specify valid names: a Common Name, and any number of DNS Subject Alternative Names. Other settings that are generally relevant to key and CSR generation are not applicable when using ACM. To learn more about ACM, see https://aws.amazon.com/certificate-manager/.

Ready to go?

From a high level, here are the key steps we'll take to integrate AWS with Venafi Trust Protection Platform:

Step 1: Verify that your Amazon account is ready to go

First things first

Make sure that you have the correct permissions specified in your AWS policy and the AWS role that you'll use with Venafi Trust Protection Platform.

 

Step 2: Set up an Amazon Private CA (Optional)

If you're going to use an Amazon Private CA to generate private digital certificates, then you'll need to complete the following tasks in Amazon Certificate Manager. (ACM).

  1. Create and configure an Amazon Private CA within a specific region, if you've not already done so.

    Be sure to note the region because you'll need that information when configuring Venafi's Amazon AWS driver.

  2. Update the AWS policy to give permissions to the Private CA (see Integrating Amazon Certificate Manager with Venafi in the section above).

  3. Give the AWS role you'll use with Venafi's Amazon Credential(a step you'll complete later) permission to the Private CA.

 

Step 3: Create an Amazon Credential

In Trust Protection Platform, create an Amazon credential and specify the AWS role that has permissions to the private CA in ACM. The AWS role used by the Amazon credential in Trust Protection Platform must have access to the Private CA.

To create an Amazon Credential

  1. From the TLS Protect menu bar, click Inventory > Credentials, and then click Create a New Credential.
  2. Click the Credential Type list and select Amazon.

  3. Click Folder and select the policy folder in which to create your new credential.
  4. In Credential Name, type a unique name for the new credential object, and then click Create and Configure.

  1. Click the Source list and select Local, EC2 Assigned Role, or ADFS, depending on which authentication method you need.

  2. (Conditional) If you selected Local from the Source list, then do the following:

    1. Type a password in the Access Key and Secret Key fields, respectively.

      You'll be required to retype them in each of the confirmation fields.

    2. (Optional) If you plan to use this new Amazon Credential to access multiple AWS accounts (using cross-accounts), then in Role Name or Role to Assume, type just the AWS role name you've set up in AWS (no need to enter the entire ARN).

      If you are using cross-accounts, see Authenticating to multiple AWS accounts using a single Amazon Credential.

    3. In cases where you need an External ID, you can type it here in the External ID field.

    4. When you're finished, click Save.

  3. (Conditional) If you selected ADFS from the Source drop-down list, then do the following:
    1. In the ADFS Username Credential field, select an Amazon credential.

      If you haven't yet created a user name credential for use with Amazon, click Create New Credential to define a new one, and then continue.

    2. In the Web Service URL field, type the full URL of your ADFS server.

    3. From the Role list, select the account that has the required permissions.

      DID YOU KNOW?  Each of the roles that appear in the Role list uses the following format:

      arn:aws:iam::AWSAccountNumber:role/RoleMappedToADgroupByADFS

      So, for example:

      arn:aws:iam::123423455678:role/MYCO-VenafiTPP

      For more information about setting up your federated sign-in through Active Directory (AD) and ADFS, visit https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/.

    4. When you're finished, click Save.

  4. (Conditional) If you selected EC2 Assigned Role from the Source drop-down list, just click Save to finish.

    When you select this option, Trust Protection Platform authenticates with permissions that are assigned to the EC2 server on which it is running.

    IMPORTANT  If you don't see this mode in the Source list, you don't have the proper permissions to use it. You must be either a master administrator, or you must request that you be added to the authorized identities list for using the AWS EC2 Assigned Role. To continue, contact a master administrator. See Authorizing the use of EC2 Assigned Role for Amazon credentials.

For additional information, see Creating Amazon credentials.

Step 4: Create and configure an AWS Certificate Manager CA template

To enable Trust Protection Platform to manage certificates issued by Amazon for use by AWS applications, you must create an AWS Certificate Manager CA template object.

What's a CA template object? ClosedClick Me:ClosedCA templates provide Trust Protection Platform with the information it needs to request, retrieve and retire certificates issued by the Amazon CA.

To create and configure an Amazon Certificate Manager CA template

  1. From the TLS Protect menu bar, click Policy Tree.
  2. From the Tree drop-down menu, click Policy.
  3. In the Policy tree, select the folder where you want to create the CA Template object, and then click Add.
  4. Click CA Template, then select AWS Certificate Manager to create it.
  5. In the CA Name box, type a name for the new AWS Certificate Manager object.
  1. Under Configuration, select the AWS credential you created above (see Step 3: Create an Amazon Credential).

  2. From the Region list, select the region where your AWS application resides.

    For more information about AWS regions, visit http://docs.aws.amazon.com/general/latest/gr/rande.html.

  3. Specify a Certificate trust type by selecting either Public or Private certificate, depending on the type of certificates you want created.

  4. (Conditional) If you selected Public certificate as your certificate trust type, then do the following:

    1. Click Validate.

    2. Under Options, select a Domain Validation Recipient.

  5. (Conditional) If you selected Private certificate as your certificate trust type, then do the following:

    1. Click Validate.

    2. Under Options, select which private CA to use.

    3. Select Private key and CSR are generated by CA if you want ACM to generate them.

      Clear this box if you want Trust Protection Platform to generate the private key and CSR.

      IMPORTANT  Be sure to verify with Amazon or Venafi regarding any associated costs for generating private keys and CSRs. Pricing models change periodically and you should be aware of the costs before selecting either option.

    4. (Conditional) If you cleared the Private key and CSR are generated by CA checkbox, then you've opted to have Venafi generate them. In this case, do the following:
      1. Select a Template for created the private certificate.
      2. Select the Signature Algorithm to be used when generating the certificate.
      3. Enter a Validity Period (in days).
  6. Click Save.

To see additional attributes, review the settings on the Support tab.