Implementing a Private Certificate Authority (CA) with AWS Certificate Manager

Quickly Create Custom Certificates for IoT Devices | AWS Certificate Manager

Prev Question Next Question

Question

Your team is working on a new Internet of Things (IoT) application.

The IoT devices need to prove their identity and establish encrypted communications channels between each other. You want to create a private Certificate Authority (CA) so that you can create certificates with any subject name and expiration date you want. How would you quickly implement this using the AWS Certificate Manager?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because you can directly create and manage a new private CA through ACM.

OpenSSL is not required.

Also, you cannot import a new private CA to ACM.

Option B is CORRECT because you can create a private CA using the ACM console.

After filling in all the required information, such as CA subject name and key algorithm, you can fully manage the private CA.Option C is incorrect because you do not need to generate a private key for CA by yourself and import it to ACM.

Option D is incorrect because Amazon ACM helps to manage the internal process to create a private CA.

No steps are required to create a private key or a CSR through ACM.

ACM Private Certificate Authority (CA) is a feature to create an entirely AWS-hosted private certificate authority (CA) for internal use.

ACM can manage both the root CA certificate and any subordinate CA certificates.

Details can be found in.

Reference:

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
Step 1: Create rule Create rules to invoke Targets based on Events happening in your AWS environment. Event Source Build or customize an Event Pattern or set a Schedule to invoke Targets. @ Event Pattern @ Schedule @ Build event pattern to match events by service v Service Name Config Y Event Type Config Rules Compliance Change v @) Any message type Specific message type(s) @ Anyrule name Specific rule name(s) °

Option A is incorrect because while OpenSSL can be used to generate a key for the private Certificate Authority, it is not necessary to create a certificate signing request and self-sign the certificate. This approach is also not compatible with AWS Certificate Manager.

Option B is also incorrect because while AWS Certificate Manager can be used to create a private Certificate Authority, it does not allow for the creation of a root CA to establish a new CA hierarchy. AWS Certificate Manager only supports subordinate CAs.

Option C is the correct answer. To implement a private Certificate Authority quickly using AWS Certificate Manager, the following steps can be taken:

  1. Use OpenSSL to generate a private key for the new CA.
  2. Import the private key to AWS Certificate Manager.
  3. Use AWS CLI create-certificate-authority command to generate the private Certificate Authority.

Option D is incorrect because while it is possible to create a new private key and certificate signing request (CSR) for the private Certificate Authority in Amazon ACM, generating new self-signed certificates for the private CA is not necessary. Instead, the private Certificate Authority can be generated using AWS CLI create-certificate-authority command.

In summary, option C is the correct answer because it outlines the correct steps to quickly implement a private Certificate Authority using AWS Certificate Manager.

Prev Question Next Question