Reputation: 31
AWS WorkSpace - allow only trusted devices with certificate authentication
I am trying to implement Allow only trusted devices feature on AWS Workspaces with simple AD.
Can someone please guide me how to generate self-signed root & client certificate with following features.
Certificates must be Base64-encoded certificate files in CRT, CERT, or PEM format. Certificates must include a Common Name. The maximum length of certificate chain supported is 4. Amazon WorkSpaces does not currently support device revocation mechanisms, such as certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP), for client certificates. Use a strong encryption algorithm. We recommend SHA256 with RSA, SHA256 with CEDSA, SHA381 with CEDSA, or SHA512 with CEDSA.
Upvotes: 3
Views: 2776
Answers (2)
Reputation: 431
Thanks @IchingChang, article https://www.brunton-spall.co.uk/post/2020/04/28/Using-AWS-Workspaces/ is really helpful.
For future readers, if you still struggling with this problem, also try with bruntonspall's github link: https://github.com/bruntonspall/AWSWorkspacesCA
The following step is create all keys and certificates in same machine (CA machine), for prod use case, you should create client public and private key in client machine:
- (only do this step if you want to renew or did not create and upload your CA public key before) run
./CA/gen_CA.sh, which will generate CA's private and public key, copy the public key (.pem file) and upload it onto AWS Workspaces's Directory Service's Access Control Options (https://docs.aws.amazon.com/workspaces/latest/adminguide/trusted-devices.html#configure-restriction). - run
./client/gen_client.sh, which will generate client private and public key and corresponding CA sign certificate. - copy pfx (or say p12) certificate file to your windows laptop, click install, select current user and personal store.
Now you should be able to login with your workspaces client (suppose you already setup AWS Workspaces side correctly with other settings).
Upvotes: 0
Reputation: 31
You need to create CA first:
SERVER_NAME=fred
DOMAIN_NAME=domain.local
export $SERVER_NAME $DOMAIN_NAME
openssl genrsa -out CA_$SERVER_NAME.$DOMAIN_NAME.key 2048
openssl req -x509 -new -nodes -key CA_$SERVER_NAME.$DOMAIN_NAME.key -sha256 -days 1024 -out CA_$SERVER_NAME.$DOMAIN_NAME.pem -subj "/C=GB/ST=MyCounty/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=$SERVER_NAME.$DOMAIN_NAMEThen you can create certificates signed from the CA you just created.
openssl genrsa -out $SERVER_NAME.$DOMAIN_NAME.key 2048
openssl req -new -key $SERVER_NAME.$DOMAIN_NAME.key -out $SERVER_NAME.$DOMAIN_NAME.csr -subj "/C=GB/ST=MyCounty/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=$SERVER_NAME.$DOMAIN_NAME.client"
openssl x509 -req -in $SERVER_NAME.$DOMAIN_NAME.csr -CA CA_$SERVER_NAME.$DOMAIN_NAME.pem -CAkey CA_$SERVER_NAME.$DOMAIN_NAME.key -CAcreateserial -out $SERVER_NAME.$DOMAIN_NAME.crt -days 365 -sha256Now you have a CA and a certificate created, you can test that the certificate is created from the CA by running:
openssl verify -CAfile CA_fred.domain.local.pem fred.domain.local.crtUpvotes: 3
Related Questions
- How to setup permissions for AWS ACM to limit user per domain
- AWS WorkSpaces With Windows 10
- Can we restrict websites access on AWS Workspaces?
- How to give separate access to AWS device farm?
- How to restrict EC2 to access to intranet
- Only permit authenticated access to S3 files
- How to achieve certificate based authentication with AWS Cognito?
- How to restrict access to the AWS WorkSpace service to certains IPs?
- AWS IAM SSM - Restrict Documents that Instances can run
- AWS and TLS Authentication