AWS Certificate Manager Integration

Introduction

This section refers to the AWS Certificate Manager (ACM) integration with Horizon, used to enroll certificates held in ACM.

This integration involves at least two infrastructure components:

  • AWS Certificate Manager

  • EverTrust Horizon

AWS Connector

Here is the section to manage the AWS Connector.

Required By

Prerequisites

On Horizon side, you might need to set up a Proxy , used to reach AWS, if necessary.

On AWS side, you need to create a user using the AWS IAM module, and following AWS guide. You should create an access key for that user, and give him appropriate permissions. The created user should hold the following permissions:

  • AWSResourceGroupsReadOnlyAccess

  • ResourceGroupsandTagEditorReadOnlyAccess

  • AWSCertificateManagerFullAccess

After performing these steps, you will get the following information, required later:

  • the AWS Region

  • the User Access Key ID

  • the User Access Key Secret

On top of that, you need to define a Resource Group, using AWS Resource Groups and Tags Editor, with the following characteristics:

  • Group Type: Tag based

  • Resource Type: AWS::CertificateManager::Certificate

  • Tag key and value (e.g. key=manage and value=HRZ)

After performing this steps, you will get the following information, required later:

  • The Resource Group name

  • the Tag name

  • the Tag value

How to configure AWS Connector

1. Log in to Horizon Administration Interface.

2. Access AWS Connectors from the drawer or card: Third Parties > AWS > Connectors.

3. Click on Add Connector.

4. Fill the mandatory fields.

Connection

  • Name* (string input):
    Enter a meaningful connector name. It must be unique for each connector. Horizon uses the name to identify the connector.

  • Region* (string input):
    Enter a valid AWS region. Here’s the region list from AWS.

  • Access key ID (string input):
    User Access Key ID used by Horizon to connect to AWS.

  • Access Key Secret (string input):
    Access Key Secret associated to the aforementioned User Access Key ID.

  • Proxy (select):
    The HTTP/HTTPS proxy to use to reach AWS, if any.

  • Timeout* (finite duration):
    The timeout for Horizon-initiated connections to AWS. Must be a valid finite duration.

Assets identification

  • Resource group name (string input):
    Name of the resource group pointing to the tag name and value.

  • Tag key (string input):
    Name of the tag used to identify certificates managed by Horizon in ACM.

  • Tag value (string input):
    Value of the tag used to identify certificates managed by Horizon in ACM.

Actors and renewal management

  • Throttle duration* (finite duration):
    Set by default at 3 seconds. Must be in valid finite duration.

  • Renewal period (finite duration):
    Certificate renewal period (time before expiration to trigger renewal). Must be in valid finite duration.

5. Click on the save button.

You can update Edit Connector or delete Delete Connector the AWS Connector.

You won’t be able to delete an AWS Connector if it is referenced somewhere else.

AWS Trigger

Here is the section to manage the Triggers that will be used by WebRA Profiles to push or delete certificates to/from AWS ACM.

Prerequisites

AWS Connector

How to configure AWS Trigger

1. Log in to Horizon Administration Interface.

2. Access AWS Triggers from the drawer or card: Third Parties > AWS > Triggers.

3. Click on Add Trigger.

4. Fill the mandatory fields.

  • Name* (string input):
    Enter a meaningful trigger name. It must be unique for each trigger. Horizon uses the name to identify the trigger.

  • AWS Connector* (select):
    Select an AWS connector previously created.

  • Retries in case of error (int):
    Number of times to retry to push the change on the AWS repository in case of error. Must be an integer between 1 and 15.

5. Click on the save button.

You can update Edit Trigger or delete Delete Connector the AWS Trigger.

You won’t be able to delete an AWS Trigger if it is referenced somewhere else.

Integration of the third party to the WebRA

When having configured the connector, it is possible to automate its elements' lifecycle using the WebRA.

Automation using triggers

Triggers are a functionality of WebRA that allows to push lifecycle events into a third party whenever they occur on a WebRA profile.

1. Refer to the trigger documentation to create a trigger.

2. Create or modify the WebRA profile you wish to use the triggers on.

3. Go to the Triggers tab, then on Certificate lifecycle triggers

4. Chose which lifecycle events you wish to use triggers upon (enrollment, revocation, expiration)

5. Select one or more existing triggers from the menu (if several are selected, they will all be called whenever the selected event occurs)

6. Click on the Save button.

From now on, whenever a selected lifecycle event will occur on the configured WebRA profile, the trigger will be called and the and the certificate will be pushed into or removed from the third party container.

Automation using scheduled tasks

Scheduled tasks are a functionality of WebRA that allows to synchronize automatic renewal or revocation events with a third party periodically with what occurs on a WebRA profile. To be more specific, it will periodically check whether the certificate has entered the "renewal period" that was defined in the connector’s configuration, and renew it automatically if necessary.

1. Refer to the third party connector documentation to create a third party connector.

2. Ensure you have an existing WebRA profile : renewal will be automated on the selected profile.

3. Follow the documentation of the WebRA scheduled tasks section to properly configure a scheduled task.