Skip to content

Create an AWS Private CA Connector

This feature is in Preview

This feature is currently available as a Preview and is not yet generally available (GA). Functionality and behavior may change before GA.

AWS provides a service that streamlines the procurement and management of SSL/TLS certificates. CyberArk has partnered with AWS to give you the ability to quickly and easily request and renew certificates.

Before you begin

You're going to need a few things to complete this procedure.

  • You will need an AWS account.
  • Your AWS access ID.
  • Your AWS secret access key
  • You will need at least one active VSatellite to provision certificates to AWS.
  • CyberArk permissions for AWS IAM - you must attach the relevant IAM policies in the following JSON file to the CyberArk Certificate Manager - SaaS AWS Integration IAM Role in your AWS account:

{
    "Version":"2012-10-17",
    "Statement":[
        {
            "Effect":"Allow",
            "Action":[
                "acm:ListCertificates",
                "acm:GetCertificate",
                "acm:RequestCertificate",
                "acm:ExportCertificate",
                "s3:GetObject",
                "acm-pca:CreateCertificateAuthorityAuditReport",
                "acm-pca:ListCertificateAuthorities",
                "acm-pca:GetCertificateAuthorityCertificate",
                "acm-pca:GetCertificate",
                "acm-pca:IssueCertificate",
                "acm-pca:RevokeCertificate"
            ],
            "Resource":"*"
        }
    ]
}
For more information, refer to Configure AWS Connection

  1. Sign in to Certificate Manager - SaaS.

  2. Click Integrations > Certificate Authorities.

  3. Click New > AWS.

  4. Enter a Name.
  5. Select a VSatellite.
  6. Select AWS Private CA Connector from the certificate authority type drop down.
  7. Click Next.
  8. Select an AWS Region.
  9. Enter the PCA ARN. This ARN is for the selected Private CA from AWS Certificate Manager.
  10. Enter the AWS Access Key.

  11. Enter the AWS Secret Key.

    Note

    The AWS Access Key and AWS Secret Key authenticate and authorize requests to AWS. These credentials uniquely identify the AWS user or role and verify their permissions to perform actions through the AWS API. They're essential for secure communication and automation between CyberArk and AWS.

  12. Click Test Access, then click Next.

  13. (Optional) In Product Options, select the certificate authority products to map to certificate issuing templates (CITs).
    1. Click Add.
  14. (Optional) Enable one of the following Import options.
    • Include revoked certificates
    • Include expired certificates
  15. (Optional) Enable Scheduled import.
  16. Click Create.

What's next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.