DEV Community: Muhammed Sajeed

How to import server or client certificate on AWS Certificate Manager (ACM)

Muhammed Sajeed — Thu, 19 Jan 2023 14:48:18 +0000

How to import server or client certificate on AWS Certificate Manager (ACM)

AWS certificate manager (ACM) is certificate store we can either request a public ceritificate or import a certificate into ACM.

For several reasons we import the certificates into ACM and use it for client server mutual certificate based authentication. one of the example is when we setup AWS client VPN and one of the authentication method is mutual certificate authentication and we need to create and import the server/client certs into AWS.

Below is the steps how to create and upload a server/client certifiate into AWS ACM. Its using OpenVPN easy-rsa tool to create the cert and the keys.

Download the easy-rsa tool into your local computer and locate easy-rsa/easyrsa3 folder.

$ git clone https://github.com/OpenVPN/easy-rsa.git

$ cd easy-rsa/easyrsa3

Initialize new PKI environment. this will cleanup all existing CA, certs or keys inside easy-rsa folder. we would need to backup those before doing this.This will create new ca.crt and ca.key into the easyrsa3 folder.

$ ./easyrsa init-pki

Generate server certificate and the key. This will create server.crt and server.key into the easyrsa3 folder.

$ ./easyrsa build-server-full server nopass

Generate client certificate and key.

$ ./easyrsa build-client-full client1.domain.tld nopass

Copy the .crt and .key files into common folder and intiate aws cli comand to import the certificate into AWS ACM. You can find the .crt files into easy-rsa/easyrsa3/pki/issued folder and .key files into easy-rsa/easyrsa3/pki/private folder.Make sure the user has access to imort ACM certificates.

To import server certs

$ aws acm import-certificate — certificate fileb://server.crt — private-key fileb://server.key — certificate-chain fileb://ca.crt

To import client certs

$aws acm import-certificate — certificate fileb://client1.domain.tld.crt — private-key fileb://client1.domain.tld.key — certificate-chain fileb://ca.crt

How to create a Pre-signed URL in S3

Muhammed Sajeed — Thu, 19 Jan 2023 14:02:45 +0000

How to create a Pre-signed URL in S3

When you create a S3 bucket by default all the objects in the buckets you upload are privte and only the object owner has permission to access it.

However, the object owner can optionally share objects with others by creating a presigned URL, using their own security credentials, to grant time-limited permission to download the objects.

When you create a presigned URL and shared it, Anyone who receive the URL can access the objects even if the objects is private. For example if you upload a file object into the bucket and both the bucket and the file object is private, You can create the presigned URL and share it.

To create a Pre-signed URL from AWS console

Login to AWS console and select the bucket and object you want to create -pre-signed URL.Go to Actions and select share with Presigned URL option.AWS console maximum you can create presigned url with12 hours experation time.For loger time we would need to create the URL from AWS CLI/SDK.

To create a Pre-signed URL from AWS CLI

When you create presigned URL using a temporary token ( eg : from ec2 machine with instance profile attached ) the URL expires when the temporary tocken expires even if the URL was created with more expiration time.

The credentials you can use to create a presigned url include .

AWS Identity and Access Management (IAM) instance profile: Valid up to six hours.
AWS Security Token Service (STS): Valid up to 36 hours when signed by an AWS Identity and Access Management (IAM) user, or valid up to one hour when signed by the root user.
IAM user: Valid up to seven days when using AWS Signature Version 4.

If you want more expiration time for presigned URL more then 36 hours upto 7 days, i would recommed to use and configure AWS Access Key ID and AWS Secret Access Key into AWS CLI.

After Access/secret key into aws configure use below AWS CLI command to create presigned URL. Below example will create a presigned URL with max expiration of 7 days.

aws s3 presign s3://DOC-EXAMPLE-BUCKET/Drawing.zip— expires-in 604800

https://medium.com/@muhammedsajeed/how-to-create-a-pre-signed-url-in-s3-c56b7946b3d

Muhammed Sajeed — Thu, 19 Jan 2023 13:33:06 +0000