ACM Private Certificate Authority (ACM Private CA)

This workshop demonstrates how ACM Private Certificate Authority (PCA) service can be used to create a complete CA hierarchy, generate a private certificate, and apply the private certificate on an Application Load Balancer while following security best practices.

1. You will be using a AWS provided account for this workshop.

2. An IAM Role called CaAdminRole is the role that a CA administrator would assume.

3. Build the infrastructure needed for creating a CA hierarchy by deploying the cloudformation template below

Please download the CF template by right clicking and save link as the filename template-ca-admin.yaml CA Admin Cloudformation Stack by right clicking and saving the yaml file on your laptop.

Upload and launch the cloudformation stack in the AWS account that you are logged into. If you are not familiar with this, follow instructions here by right clickking and opening link in a new browser tab Deploy Cloudformation Stack Instructions

4. Create a Root CA.

5. Create a Subordinate Issuing CA.

7. An IAM Role called AppDevRole is the role that an application developer would assume.

8. Build the application infrastructure by deploying the cloudformation template below

Please download the CF template by right clicking and save link as the filename template-appdev.yaml AppDev Cloudformation Stack by right clicking and saving the yaml file on your laptop.

Upload and launch the cloudformation stack in your AWS account. If you are not familiar with this, follow instructions here by right clicking and opening link in a new browser tab Deploy Cloudformation Stack Instructions This cloudformation deployment takes about 3 minutes to complete.

9. Next step is to issue a private certificate to put on the application load balancer.

Open this link in a new browser tab for steps : Issue a private certificate

10. Attach a HTTPS listener and private certificate to the ALB .

Open this link in a new browser tab for steps : Attach HTTPS Listener

For firefox : Validate Certificate Identity on Firefox broswer

For google chrome : Validate Certificate Identity on chrome browser

For Microsoft Edge : Validate Certificate Identity on Microsoft edge browser

13. Cleanup

Don't worry about cleanup, we will take care of it. Hopefully you learnt something useful in this workshop that you can take back your organization. Thank you for coming.

License Summary

This sample code is made available under a modified MIT license. See the LICENSE file.