CODEWITHSUNDEEP
amazon-web-servicesssl-certificate
lalit
lalit

Reputation: 55

How to access certificate details and private key from AWS certificate manager in java to build SSLContext?

I am getting Certificate from this code but not getting private key

  AWSCertificateManager client = AWSCertificateManagerClientBuilder.standard()
              .withRegion(Regions.#####)
              .withCredentials(DefaultAWSCredentialsProviderChain.getInstance())
              .build();
  GetCertificateRequest req = new GetCertificateRequest();
  req.setCertificateArn("################################");

  // Retrieve the certificate and certificate chain. 
  // If you recently requested the certificate, loop until it has been created.
  GetCertificateResult result = null;
  long totalTimeout = 120000l;
  long timeSlept = 0l;
  long sleepInterval = 10000l;
  while (result == null && timeSlept < totalTimeout) {
     try {
        result = client.getCertificate(req);
        String certificate = result.getCertificate();
        String certificate_chain = result.getCertificateChain();
     }
     catch (RequestInProgressException ex) {
        Thread.sleep(sleepInterval);
     }
     catch (ResourceNotFoundException ex)
     {
        throw ex;
     }
     catch (InvalidArnException ex)
     {
        throw ex;
     }

     timeSlept += sleepInterval;
  }

Upvotes: 0

Views: 1189

Answers (1)

Azize
Azize

Reputation: 4476

AWS Certificate Manager has two main options, Certificates and Private CA.

Free public certificates for ACM-integrated services With AWS
Certificate Manager, there is no additional charge for provisioning public or private SSL/TLS certificates you use with ACM-integrated services, such as Elastic Load Balancing and API Gateway. You pay for the AWS resources you create to run your application. For private certificates, ACM Private CA provides you the ability to pay monthly for the service and certificates you create. You pay less per certificate as you create more private certificates.

So basically Certificates are managed by AWS and it integrates with other services. In this option you can't use this certificate with other non-AWS resources, so you can't have access to certificate private key.

With Private CA AWS manage a CA for you. You can create certificates and in this case you have full access to this certificate, even private key. It does not integrate with other AWS services.

If you want to get the certificate to use inside your instance, like Apache or Nginx. The best approach would be to have an ALB in front of your instances. ALB will use a public certificate from ACM.

After this point you can decide if you want to have encryption between ALB and your instance or not.
If you want to have end-to-end encryption, you can use a self-signed certificate as ALB doesn't validate it, or you can use one certificate from ACM Private CA.

Upvotes: 1

Related Questions