How can I create an certificate revocation list (CRL) for my ACM PCA?

Last updated: 2022-06-20

I'm trying create a certificate revocation list (CRL) for my AWS Certificate Manager (ACM) private certificate authority (CA). How can I do this?

Short description

ACM Private CA places the CRL into an Amazon Simple Storage Service (Amazon S3) bucket that you designate for use. Your Amazon S3 bucket must be secured by an attached permissions policy. Authorized users and service principals require Put permission to allow ACM Private CA to place objects in the bucket, and Get permission to retrieve them.

For more information, see Access policies for CRLs in Amazon S3.

Resolution

Follow these instructions to create an Amazon S3 bucket, Amazon CloudFront distribution, and configure the CA for the CRL.

Note:

Step 1: Create a new Amazon S3 bucket with BPA settings enabled

1.    Open the Amazon S3 console, and then choose Create bucket.

2.    In Bucket name, enter a name for your bucket.

3.    In Object Ownership, choose ACLs enabled, and then choose Create bucket.

4.    In Buckets, choose the bucket that you created in step 3.

5.    Choose the Permissions tab.

6.    In Bucket policy, choose Edit.

7.    In Policy, copy and paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-crl-storage-bucket/*",
        "arn:aws:s3:::your-crl-storage-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account",
          "aws:SourceArn": "arn:partition:acm-pca:region:account:certificate-authority/CA_ID"
        }
      }
    }
  ]
}

Note: Replace the S3 bucket name, account ID, and ACM PCA ARN with your variables.

8.    Choose Save changes.

For more information, see Creating a bucket.

Step 2: Create a CloudFront distribution

1.    Open the CloudFront console, and then choose Create Distribution.

2.    In Origin domain, enter the name of the bucket that you created in the previous steps.

3.    In S3 bucket access, choose Yes use OAI (bucket can restrict access to only CloudFront).

4.    In Origin access identity, choose Create new OAI, and then choose Create.

5.    Choose Create distribution.

For more information, see Creating a distribution.

Step 3: Configure your CA with CRL

1.    Create the CA using the AWS CLI command create-certificate-authority similar to the following:

$ aws acm-pca create-certificate-authority --certificate-authority-configuration "KeyAlgorithm=RSA_2048,SigningAlgorithm=SHA256WITHRSA,Subject={CommonName=s3-bpa}" --certificate-authority-type "ROOT" --revocation-configuration "CrlConfiguration={Enabled=true,S3BucketName=examplebucket,ExpirationInDays=7,S3ObjectAcl=BUCKET_OWNER_FULL_CONTROL}" --region us-east-1

The revoke_config.txt file contains revocation information similar to the following:

{
  "CrlConfiguration": {
    "Enabled": true,
    "ExpirationInDays": integer,
    "S3BucketName": "string",
    "S3ObjectAcl": "BUCKET_OWNER_FULL_CONTROL"
  }
}

Note: If you configured your CRL using the AWS Management Console, you might receive a "ValidationException" error. Repeat step 1 to update the CA revocation configuration using the AWS CLI

(Optional) Step 4: Encrypt your CRL

You can configure automatic or custom encryption on the Amazon S3 bucket containing your CRLs. For instructions, see Encrypting your CRLs.