Reputation: 1132
How do I generate a trustedCertificates.pem and certificateChain.pem file for Amazon EMR?
I'm trying to encrypt TLS traffic in transit between EMR nodes. The example on the AWS website uses a self-signed certificate.
Because this is all within my private network, I have generated a root CA certificate with a private key that is tightly secured. I then have a derived certificate which can perform key encipherment", digital signature, and server auth.
Let's call the root CA certificate A, and the derived certificate B.
EMR says that I need to upload a zipfile to s3 containing 2 required files and one optional file:
privateKey.pem is required,
certificateChain.pem is required
and trustedCertificates.pem is optional
For privateKey.pem, I assume I can just use the private key associated with certificate B.
- For certificateChain.pem, do I need the contents of the certificate B concatenated with certificate A or do I just need the contents of certificate A?
- For trustedCertificates.pem do I need the contents of certificate A or of certificate B?
Upvotes: 0
Views: 1996
Answers (1)
Reputation: 81336
If you follow this AWS script as per the documentation you will find that trustedCertificates.pem and certificateChain.pem are the same file (via a file copy).
openssl req -x509 -newkey rsa:2048 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -subj '/C=US/S=Washington/L=Seattle/O=MyOrg/OU=MyDept/CN=*.ec2.internal'
cp certificateChain.pem trustedCertificates.pem
zip -r -X certs.zip privateKey.pem certificateChain.pem trustedCertificates.pem
You are complicating things by creating a root certificate, which is not necessary. Follow the AWS documentation on setting up TLS on EMR:
Secure Amazon EMR with Encryption
The zip file that you upload to S3 contains three files, privateKey.pem, certificateChain.pem and trustedCertificates.pem. Two of which are the same file with different names.
[EDIT after a very long comment thread on certificates]
When you create a self signed root certificate, all certificates that it signs are also self signed. A certificate is verified by verifying each certificate up the chain to the root. If the root certificate is untrusted, then all certificates are untrusted.
AWS offers a certificate management service where you can be your own CA. However, this is very expensive. If you are a large company, a bank or financial institution, etc. then this AWS service is very useful.
For Amazon EMR, using a single self signed certificate is OK. The reasoning is that you are in full control over the systems that are using the certificate. You would not want to use a self signed certificate if any part of the system is providing public access.
One item that confused the OP is the difference between a trusted certificate and the certificate chain. In his example, since their is only the root certificate and not intermediary certificates, the trusted and chain are the same item. Only if he had created another signing certificate that was used to sign the last certificate would the certificate chain be different (there would be the root certificate and the signing certificate).
Upvotes: 3
Related Questions
- generate pem File for EC2 Instance at Amazon
- Certificate must have a fully-qualified domain name, a supported signature, and a supported key size
- Amazon AWS EC2 - Getting a .cer file instead of .pem
- Convert a PEM certificate file and a private key to PKCS12 with vs without CA
- How to generate pem file from create-key-pair command in windows?
- Generate Certificate Signing Request
- Uploading SSL certificates TO IAM
- How to upload a SSL certificate to IAM
- Generating .pem from AWS ACM Certificate
- AWS ELB Server certificate trust