AWS PKI

Prerequisites

  • You need to create a user using AWS IAM, and give it the AWSCertificateManagerPrivateCAUser right.

  • You need to retrieve the Private CA ARN from ACM Private CA console.

Refer to the editor’s documentation to configure the PKI side here.

Create the PKI connector

1. Log in to Horizon Administration Interface.

2. Access PKI from the drawer or card: PKI  PKI Connectors.

3. Click on Add icon.

4. Select the correct PKI type.

5. Click on the next button

General tab

6. Fill in the common mandatory fields:

  • Connector Name* (string input):
    Choose a meaningful connector name allowing to identify the mapping between the PKI and the Certificate Profile. It must be unique and must not contain spaces.

  • Proxy (string select):
    If the PKI is not directly reachable from Horizon, you can set up an HTTP/HTTPS proxy to properly forward the traffic.

  • PKI Queue (string select):
    The PKI Queue used to manage the PKI Requests (enrollment, revocation).

  • Timeout (finite duration):
    Represents a predefined interval of time without a PKI response, when the time has passed "Horizon" will cease trying to establish the communication. Must be a valid finite duration.

7. Click on the next button

Details tab

8. Fill in all mandatory fields:

  • AWS Region* (string input):
    AWS region to use.

  • AWS PCA ARN* (string input):
    Amazon Resource Name (ARN) is a file naming convention used to identify a particular resource in AWS public cloud. To be retrieved from AWS ACM Console.

  • AWS PCA Template ARN (string input):
    A template is a declaration of the AWS resources that make up a stack. The default value is set to: arn:aws:acm-pca:::template/EndEntityCertificate/V1.

  • AWS PCA Role ARN (string input)

  • Certificate Policy OID (string input):
    An identifying number, in the form of an "object identifier" that is included in the certificatePolicies field of a certificate.

  • Certificate signing hash (select):
    Select the hash function that will be used.

  • Certificate Usage (select):
    Select the certificate usage.

  • Number of valid days (finite duration):
    Certificate validity duration in days. Must be a valid finite duration. The default value is set to 365 days.

  • Retry Interval (finite duration):
    Predefined interval of time before retrying to retrieve the certificate from AWS. Must be a valid finite duration. The default value is set to 3 seconds.

9. Click on the next button

Authentication tab

10. Fill in the PKI-authentication fields:

  • AWS user access key ID (string input):
    Find AWS Account and Access Keys.

  • AWS user secret key (string input):
    Must be set only if and only if AWS user access key ID is set.

11. Click on the save button.

You can edit Edit PKI, duplicate Duplicate PKI or delete Delete PKI the AWS PKI connector.