How to use AWS Private Certificate Authority short-lived certificate mode
AWS Private Certificate Authority (AWS Private CA) is a highly available, fully managed private certificate authority (CA) service that you can use to create CA hierarchies and issue private X.509 certificates. You can use these private certificates to establish endpoints for TLS encryption, cryptographically sign code, authenticate users, and more.
<p>Based on customer feedback for prorated certificate pricing options, AWS Private CA <a href="https://aws.amazon.com/about-aws/whats-new/2022/10/aws-private-certificate-authority-introduces-mode-short-lived-certificates/" target="_blank" rel="noopener">now offers short-lived certificate mode</a>, a lower cost mode of AWS Private CA that is designed to issue short-lived certificates. In this blog post, we will compare the original general-purpose and new short-lived CA modes and discuss use cases for each of them.</p>
<p>The general-purpose mode of AWS Private CA supports certificates of any validity period. The addition of short-lived CA mode is intended to facilitate use cases where you want certificates with a short validity period, defined as 7 days or less. Keep in mind this doesn’t mean that the root CA certificate must also be short lived. Although <a href="https://docs.aws.amazon.com/privateca/latest/userguide/ca-lifecycle.html" target="_blank" rel="noopener">a typical root CA certificate is valid for 10 years</a>, you can customize the certificate validity period for CAs in either mode when you install the CA certificate.</p>
<p>You select the CA mode when you create a certificate authority. The CA mode cannot be changed for an existing CA. Both modes (general-purpose and short-lived) have <a href="https://aws.amazon.com/private-ca/pricing/" rel="noopener" target="_blank">distinct pricing</a> for the different use cases that they support.</p>
<p>The short-lived CA mode offers an accessible pricing model for customers who need to issue certificates with a short-term validity period. You can use these short-lived certificates for on-demand AWS workloads and align the validity of the certificate with the lifetime of the certificate holder. For example, if you’re using certificate-based authentication for a virtual workstation that is rebuilt each day, you can configure your certificates to expire after 24 hours.</p>
<p>In this blog post, we will compare the two CA modes, examine their pricing models, and discuss several potential use cases for short-lived certificates. We will also provide a walkthrough that shows you how to create a short-lived mode CA by using the <a href="https://aws.amazon.com/cli/" target="_blank" rel="noopener">AWS Command Line Interface (AWS CLI)</a>. To create a short-lived mode CA using the <a href="https://aws.amazon.com/console/" target="_blank" rel="noopener">AWS Management Console</a>, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/Create-CA-console.html" target="_blank" rel="noopener">Procedure for creating a CA (console)</a>.</p>
<h2>Comparing general-purpose mode CAs to short-lived mode CAs</h2>
<p>You might be wondering, “How is the short-lived CA mode different from the general-purpose CA mode? I can already create certificates with a short validity period by using AWS Private CA.” The key difference between these two CA modes is cost. Short-lived CA mode is priced to better serve use cases where you reissue private certificates frequently, such as for certificate-based authentication (CBA).</p>
<p>With CBA, users can authenticate once and then seamlessly access resources, including <a href="https://aws.amazon.com/workspaces/" target="_blank" rel="noopener">Amazon WorkSpaces</a> and <a href="https://aws.amazon.com/appstream2/" target="_blank" rel="noopener">Amazon AppStream 2.0</a>, without re-entering their credentials. This use case demonstrates the security value of short-lived certificates. A short validity period for the certificate reduces the impact of a compromised certificate because the certificate can only be used for authentication during a small window before it’s automatically invalidated. This method of authentication is useful for customers who are looking to adopt a <a href="https://aws.amazon.com/security/zero-trust/" target="_blank" rel="noopener">Zero Trust</a> security strategy.</p>
<p>Before the release of the short-lived CA mode, using AWS Private CA for CBA could be cost prohibitive for some customers. This is because CBA needs a new certificate for each user at regular intervals, which can require issuing a high volume of certificates. The best practice for CBA is to use short-lived CA mode, which can issue certificates at a lower cost that can be used to authenticate a user and then expire shortly afterward.</p>
<p>Let’s take a closer look at the pricing models for the two CA modes that are available when you use AWS Private CA.</p>
<h2>Pricing model comparison</h2>
<p>You can issue short-lived certificates from both the general-purpose and short-lived CA modes of AWS Private CA. However, the general-purpose mode CAs incur a monthly charge of $400 per CA. The cost of issuing certificates from a general-purpose mode CA is based on the number of certificates that you issue per month, per <a href="https://aws.amazon.com/about-aws/global-infrastructure/regions_az/" target="_blank" rel="noopener">AWS Region</a>.</p>
<p>The following table shows the pricing tiers for certificates issued by AWS Private CA by using a general-purpose mode CA.</p>
<table width="100%">
<tbody>
<tr>
<td width="50%"><strong>Number of private certificates created each month (per Region)</strong></td>
<td width="50%"><strong>Price (per certificate)</strong></td>
</tr>
<tr>
<td width="50%">1–1,000</td>
<td width="50%">$0.75 USD</td>
</tr>
<tr>
<td width="50%">1,001–10,000</td>
<td width="50%">$0.35 USD</td>
</tr>
<tr>
<td width="50%">10,001 and above</td>
<td width="50%">$0.001 USD</td>
</tr>
</tbody>
</table>
<p>The short-lived mode CA will only incur a monthly charge of $50 per CA. The cost of issuing certificates from a short-lived mode CA is the same regardless of the volume of certificates issued: $0.058 per certificate. This pricing structure is more cost effective than general-purpose mode if you need to frequently issue new, short-lived certificates for a use case like certificate-based authentication. Figure 1 compares costs between modes at different certificate volumes.</p>
<div id="attachment_28571" class="wp-caption aligncenter">
<img aria-describedby="caption-attachment-28571" src="https://infracom.com.sg/wp-content/uploads/2023/02/img1-4-1024x576-1.png" alt="Figure 1: Cost comparison of AWS Private CA modes" width="760" class="size-large wp-image-28571">
<p id="caption-attachment-28571" class="wp-caption-text">Figure 1: Cost comparison of AWS Private CA modes</p>
</div>
<p>It’s important to note that if you already issue a high volume of certificates each month from AWS Private CA, the short-lived CA mode might not be more cost effective than the general-purpose mode. Consider a customer who has one CA and issues 80,000 certificates per month using the general-purpose CA mode: This will incur a total monthly cost of $4,370. A breakdown of the total cost per month in this scenario is as follows.</p>
<table width="100%">
<tbody>
<tr>
<td> <p><strong>1 private CA x 400 USD per month = 400 USD per month for operation of AWS Private CA</strong></p> <p>Tiered price for 80,000 issued certificates:<br>1,000 issued certificates x 0.75 USD = 750 USD<br>9,000 issued certificates x 0.35 USD = 3,150 USD<br>70,000 issued certificates x 0.001 USD = 70 USD<br>Total tier cost: 750 USD + 3,150 USD + 70 USD = 3,970 USD per month for certificates issued<br>400 USD for instances + 3,970 USD for certificate issued = 4,370 USD<br><strong>Total cost (monthly): 4,370 USD</strong></p> </td>
</tr>
</tbody>
</table>
<p>Now imagine that same customer chose to use a short-lived mode CA to issue the same number of private certificates. Although the cost per month of the short-lived mode CA instance is lower, the price of issuing short-lived certificates would still be greater than the 70,000 certificates issued at a cost of $0.001 with the general-purpose mode CA. The total cost of issuing this many certificates from a single short-lived mode CA is $4,690. A breakdown of the total cost per month in this scenario is as follows.</p>
<table width="100%">
<tbody>
<tr>
<td> <p><strong>1 private CA x 50 USD per month = 50 USD per month for operation of AWS Private CA (short-lived CA mode)</strong></p> <p>Price for 80,000 issued certificates (short-lived CA mode):<br>80,000 issued certificates x 0.058 USD = 4,640 USD<br>50 USD for instances + 4,640 USD for certificate issued = 4,690 USD<br><strong>Total cost (monthly): 4,690 USD</strong></p> </td>
</tr>
</tbody>
</table>
<p>At very high volumes of certificate issuance, the short-lived CA mode is not as cost effective as the general-purpose CA mode. It’s important to consider the volume of certificates that your organization will be issuing when you decide which CA mode to use. Figure 1 shows the cost difference at various volumes of certificate issuance. This difference will vary based on the number of certificates issued, as well as the number of CAs that your organization used.</p>
<p>You should also evaluate the various use cases that your organization has for using private certificates. For example, private certificates that are used to terminate TLS traffic typically have a validity of a year or more, meaning that the short-lived CA mode could not facilitate this use case. The short-lived CA mode can only issue certificates with a validity of 7 days or less.</p>
<p>However, you can create multiple private CAs and select the appropriate certificate authority mode for each CA based on your requirements. We recommend that you evaluate your use cases and estimate your certificate volume when you consider which CA mode to use.</p>
<p>In general, you should use the new short-lived CA mode for use cases where you require certificates with a short validity period (less than 7 days) and you are not planning to issue more than 75,000 certificates per month. You should use the general-purpose CA mode for scenarios where you need to issue certificates with a validity period of more than 7 days, or when you need short-lived certificates but will be issuing very high volumes of certificates each month (for example, over 75,000).</p>
<h2>Use cases</h2>
<p>The short-lived certificate feature was initially developed for <a href="https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-workspaces-certificate-based-authentication/" target="_blank" rel="noopener">certificate-based authentication with Amazon WorkSpaces</a> and <a href="https://aws.amazon.com/about-aws/whats-new/2022/10/certificate-based-authentication-amazon-appstream-2-0/" target="_blank" rel="noopener">Amazon AppStream 2.0</a>. For a step-by-step guide on how to configure certificate-based authentication for Amazon Workspaces, see <a href="https://aws.amazon.com/blogs/desktop-and-application-streaming/how-to-configure-certificate-based-authentication-for-amazon-workspaces/" target="_blank" rel="noopener">How to configure certificate-based authentication for Amazon WorkSpaces</a>. However, there are other ways to get value from the AWS Private CA short-lived CA mode, which we will describe in the following sections.</p>
<h3>IAM Roles Anywhere</h3>
<p>For customers who use <a href="https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html" target="_blank" rel="noopener">AWS Identity and Access Management (IAM) Roles Anywhere</a>, you might want to reduce the time period for which a certificate can be used to retrieve temporary credentials to assume an IAM role. If you frequently issue X.509 certificates to servers outside of AWS for use with IAM Roles Anywhere, and you want to use short-lived certificates, the pricing model for short-lived CA mode will be more cost effective in most cases (see Figure 1).</p>
<p>Short-lived credentials are useful for administrative personas that have broad permissions to AWS resources. For instance, you might use IAM Roles Anywhere to allow an entity outside AWS to assume an IAM role with the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html" target="_blank" rel="noopener">AdministratorAccess AWS managed policy attached</a>. To help manage the risk of this access pattern, we want the certificate to expire relatively quickly, which reduces the time period during which a compromised certificate could potentially be used to authenticate to a highly privileged IAM role.</p>
<p>Furthermore, IAM Roles Anywhere requires that you manually upload a certificate revocation list (CRL), and does not support the CRL and Online Certificate Status Protocol (OCSP) mechanisms that are native to AWS Private CA. Using short-lived certificates is a way to reduce the impact of a potential credential compromise without needing to configure revocation for IAM Roles Anywhere. The need for certificate revocation is greatly reduced if the certificates are only valid for a single day and can’t be used to retrieve temporary credentials to assume an IAM role after the certificate expires.</p>
<h3>Mutual TLS between workloads</h3>
<p>Consider a highly sensitive workload running on <a href="https://aws.amazon.com/eks/" target="_blank" rel="noopener">Amazon Elastic Kubernetes Service (Amazon EKS)</a>. AWS Private CA supports an open-source plugin for <a href="https://cert-manager.io/" target="_blank" rel="noopener">cert-manager</a>, a widely adopted solution for TLS certificate management in Kubernetes, that offers a more secure CA solution for Kubernetes containers. You can use cert-manager and AWS Private CA to issue certificates to identify cluster resources and encrypt data in transit with TLS.</p>
<p>If you use mutual TLS (mTLS) to protect network traffic between Kubernetes pods, you might want to align the validity period of the private certificates with the lifetime of the pods. For example, if you rebuild the worker nodes for your EKS cluster each day, you can issue certificates that expire after 24 hours and configure your application to request a new short-lived certificate before the current certificate expires.</p>
<p>This enables resource identification and mTLS between pods without requiring frequent revocation of certificates that were issued to resources that no longer exist. As stated previously, this method of issuing short-lived certificates is possible with the general-purpose CA mode—but using the new short-lived CA mode makes this use case more cost effective for customers who issue fewer than 75,000 certificates each month.</p>
<h2>Create a short-lived mode CA by using the AWS CLI</h2>
<p>In this section, we show you how to use the AWS CLI to create a new private certificate authority with the usage mode set to SHORT_LIVED_CERTIFICATE. If you don’t specify a usage mode, AWS Private CA creates a general-purpose mode CA by default. We won’t use a form of revocation, because the short-lived CA mode makes revocation less useful. The certificates expire quickly as part of normal operations. For more examples of how to create CAs with the AWS CLI, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/Create-CA-CLI.html" target="_blank" rel="noopener">Procedure for creating a CA (CLI)</a>. For instructions to create short-lived mode CAs with the AWS console, see <a href="https://docs.aws.amazon.com/privateca/latest/userguide/Create-CA-console.html" target="_blank" rel="noopener">Procedure for creating a CA (Console).</a></p>
<p>This walkthrough has the following prerequisites:</p>
<ol>
<li>A terminal with the <code>.aws</code> configuration directory set up with a valid default Region, endpoint, and credentials. For information about configuring your AWS CLI environment, see <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html" target="_blank" rel="noopener">Configuration and credential file settings</a>.</li>
<li>An <a href="https://aws.amazon.com/iam/" target="_blank" rel="noopener">AWS Identity and Access Management (IAM)</a> user or role that has permissions to create a certificate authority by using AWS Private CA.</li>
<li>A certificate authority configuration file to supply when you create the CA. This file provides the subject details for the CA certificate, as well as the key and signing algorithm configuration.<br><blockquote>
<p><strong>Note:</strong> We provide an example CA configuration file, but you will need to modify this example to meet your requirements.</p>
</blockquote> </li>
</ol>
<h4>To use the create-certificate-authority command with the AWS CLI</h4>
<ol>
<li>We will use the following <span>ca_config.txt</span> file to create the certificate authority. You will need to modify this example to meet your requirements.
<div class="hide-language">
<pre><code class="lang-text">{
“KeyAlgorithm”:”RSA_2048″,
“SigningAlgorithm”:”SHA256WITHRSA”,
“Subject”:{
“Country”:”US”,
“Organization”:”Example Corp”,
“OrganizationalUnit”:”Sales”,
“State”:”WA”,
“Locality”:”Seattle”,
“CommonName”:”Example Root CA G1″
}
}
<li>Enter the following command to create a short-lived mode root CA by using the parameters supplied in the <span>ca_config.txt</span> file.<br /><blockquote>
<strong>Note:</strong> Make sure that <span>ca_config.txt</span> is located in your current directory, or specify the full path to the file.</p>
</blockquote> <p><code>aws acm-pca create-certificate-authority
--certificate-authority-configuration file://ca_config.txt
--certificate-authority-type "ROOT"
--usage-mode SHORT_LIVED_CERTIFICATE
--tags Key=usageMode,Value=SHORT_LIVED_CERTIFICATE</code></p> </li>
<li>Use the <span>describe-certificate-authority</span> command to view the status of your new root CA. The status will show <span>Pending_Certificate</span>, until you install a self-signed root CA certificate. You will need to replace the certificate authority Amazon Resource Name (ARN) in the following command with your own CA ARN. <p><code>sh-4.2$ aws acm-pca describe-certificate-authority --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID</code></p> <p>The output of this command is as follows:</p>
<div class="hide-language">
<pre class="unlimited-height-code"><code class="lang-text">{
"CertificateAuthority": {
"Arn": "arn:aws:acm-pca:region:account:certificate-authority/CA_ID",
"OwnerAccount": "account",
"CreatedAt": "2022-11-02T23:12:46.916000+00:00",
"LastStateChangeAt": "2022-11-02T23:12:47.779000+00:00",
"Type": "ROOT",
"Status": "PENDING_CERTIFICATE",
"CertificateAuthorityConfiguration": {
"KeyAlgorithm": "RSA_2048",
"SigningAlgorithm": "SHA256WITHRSA",
"Subject": {
"Country": "US",
"Organization": "Example Corp",
"OrganizationalUnit": "Sales",
"State": "WA",
"CommonName": "Example Root CA G1",
"Locality": "Seattle"
}
},
"RevocationConfiguration": {
"CrlConfiguration": {
"Enabled": false
},
"OcspConfiguration": {
"Enabled": false
}
},
"KeyStorageSecurityStandard": "FIPS_140_2_LEVEL_3_OR_HIGHER",
"UsageMode": "SHORT_LIVED_CERTIFICATE"
}
}
- Generate a certificate signing request for your root CA certificate by running the following command. Make sure to replace the certificate authority ARN in the command with your own CA ARN.
aws acm-pca get-certificate-authority-csr
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
--output text > ca.csr - Using the
ca.csrfile from the previous step as the argument for the--csr parameter, issue the root certificate with the following command. Make sure to replace the certificate authority ARN in the command with your own CA ARN.aws acm-pca issue-certificate
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
--csr fileb://ca.csr
--signing-algorithm SHA256WITHRSA
--template-arn arn:aws:acm-pca:::template/RootCACertificate/V1
--validity Value=10,Type=YEARS - The response will include the CertificateArn for the issued root CA certificate. Next, use your CA ARN and the certificate ARN provided in the response to retrieve the certificate by using the
get-certificateCLI command, as follows.aws acm-pca get-certificate
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
--certificate-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID/certificate/CERTIFICATE_ID
--output text > cert.pem - Notice that we created a new file,
cert.pem, that contains the certificate we retrieved in the previous command. We will import this certificate to our short-lived mode root CA by running the following command. Make sure to replace the certificate authority ARN in the command with your own CA ARN.aws acm-pca import-certificate-authority-certificate
--certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
--certificate fileb://cert.pem - Check the status of your short-lived mode CA again by using the
describe-certificate-authoritycommand. Make sure to replace the certificate authority ARN in the following command with your own CA ARN.sh-4.2$ aws acm-pca describe-certificate-authorityThe output of this command is as follows:
> --certificate-authority-arn arn:aws:acm-pca:region:account:certificate-authority/CA_ID
> --output json - Great! As shown in the output from the preceding command, the new short-lived mode root CA has a status of
ACTIVE, meaning it can now issue certificates. This certificate authority will be able to issue end-entity certificates that have a validity period of up to 7 days, as shown in theUsageMode: SHORT_LIVED_CERTIFICATEparameter.
<h2>Conclusion</h2>
<p>In this post, we introduced the short-lived CA mode that is offered by AWS Private CA, explained how it differs from the general-purpose CA mode, and compared the pricing models for both CA modes. We also provided some recommendations for choosing the appropriate CA mode based on your certificate issuance volume and use cases. Finally, we showed you how to create a short-lived mode CA by using the AWS CLI.</p>
<p>Get started using <a href="https://aws.amazon.com/certificate-manager/" target="_blank" rel="noopener">AWS Private CA</a>, and consult the <a href="https://docs.aws.amazon.com/privateca/latest/userguide/short-lived-certificates.html" target="_blank" rel="noopener">AWS Private CA User Guide</a> for more details on the short-lived CA mode.</p>
<p>If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the <a href="https://repost.aws/tags/TAJ7zd4vjzSfC_8JNlsbq2tA/aws-certificate-manager" rel="noopener" target="_blank">AWS Certificate Manager re:Post</a> or <a href="https://console.aws.amazon.com/support/home" rel="noopener" target="_blank">contact AWS Support</a>.</p>
<p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong>
<!-- '"` -->