You can handle certificate events with the DynamoDb table hosted in your AWS environment. This method has additional costs but also improved performance: AWS will charge for the DynamoDb service and all of the traffic to and from CA Gateway. With this cost, however, comes increased speed and scalability.

Our testing found that, in the worst case, DynamoDb performs evenly with the AWS Audit Report method. Still, as the number of events in the CA grows, DynamoDb performs significantly faster than the AWS Audit Report method. The improvement is particularly evident when the number of requested events is small compared to the total number of events in the CA. DynamoDb also uses no additional memory in CA Gateway.

When a certificate is issued or revoked by an ACM Private CA:

  1. Amazon CloudTrail logs an IssueCertificate or RevokeCertificate event.
  2. An Amazon EventBridge rule triggers an AWS Lambda function.
  3. The lambda function receives the event data and extracts the relevant details to create a record.
  4. The lambda function saves the record in the DynamoDb table where CA Gateway queries certificate events.

See the following sections for how to configure this method in AWS and CA Gateway.

Creating the AWS DynamoDb table

Create an AWS DynamoDb table for storing the certificate events.

To create an AWS DynamoDb table

  1. Search for DynamoDB in the search box at the top of the AWS Management Console.
  2. Navigate to the main page of the DynamoDB service. 
  3. Select Create table.
  4. Provide a table name. You will later add the selected name in Creating the AWS Lambda function and Configuring the AWS DynamoDB table in CA Gateway. The Lambda script provided by Entrust uses the certificate-events default table name.
  5. Under Partition key, enter certificate_authority_arn for the primary key and select String for the type (default value).
  6. Check Add sort key.
  7. In the resulting text box, enter time  and select String for the type (default value).
  8. In the Table settings section, do not uncheck Use default settings (checked by default) unless you know what you’re doing and would like to change these settings for your own needs.
  9. Review the configured settings:
    • The partition key must be certificate_authority_arn .
    • The sort key must be time .
    • The table name is up to you. 
  10. Click Create to create the table.

Creating the AWS Lambda function

Create a Lambda function for storing certificate event records in the AWS DynamoDb table.

To create the Lambda function

  1. Search for Lambda in the search box at the top of the AWS Management Console.
  2. Navigate to the main page of the Lambda service.
  3. Select Create function.
  4. Select Use a blueprint.
  5. Search for microservice-http-endpoint-python In the Blueprints search box.
  6. Select the microservice-http-endpoint-python blueprint.
  7. Click Configure.
  8. In the resulting page, provide a function name.
  9. In Execution role, select Create a new role from AWS policy templates.
  10. Provide a name for the role.
  11. Under Policy templates, select Simple microservice permissions: DynamoDB.
  12. In the API Gateway trigger section under API, select Create an API.
  13. For API type, select REST API.
  14. For security, select IAM.
  15. Click Create function.
  16. Review the performed steps. For example, after selecting the save-certificate-event-record-in-dynamodb name for the Lambda function, you should go to a page like the following.

Configuring the AWS Lambda function

Configure the Lambda function previously created in Creating the AWS Lambda function .

To configure the Lambda function

  1. Copy the contents of the dynamo-db-lambda.py file provided with the AWS CA Gateway plugin artifact.
  2. Paste the contents under the Code source tab to replace the dynamo-db-lambda.py contents.

  3. Assign to the TABLE_NAME variable the name of the DynamoDB table created earlier. For example: 

    TABLE_NAME = "certificate-events”

    Be careful if you choose to edit the Lambda code in any other way. The Lambda code is directly responsible for storing certificate event records in the DynamoDB table, so the correctness of CA Gateway certificate events API depends on the correctness of this Lambda code.

  4. Click Deploy above the code file.
  5. Click the Configuration tab.
  6. On the left pane, select Permissions.
  7. In the Execution role section, click the role associated with this Lambda function. You should see a summary of the Lambda function role in a new tab.
  8. In the new tab, click Attach policies under Permissions.
  9. On the resulting page, search for AWSCertificateManagerPrivateCAReadOnly.
  10. Select the AWSCertificateManagerPrivateCAReadOnly policy.
  11. Click Attach policy. Attaching this policy to the role allows the Lambda function to retrieve certificate content from an AWS private CA.
  12. Verify that your role has all of the necessary permissions. The following permissions will suffice.
    • Certificate Manager Private Certificate Authority: List, Read
    • DynamoDB: Read, Write
    • CloudWatch Logs: Write

Limiting AWS DynamoDB permissions (optional)

You may wish to limit the DynamoDB permissions to saving certificate events in the AWS DynamoDb table.

To limit the DynamoDB permissions

  1. In the AWSLambdaMicroserviceExecutionRole section containing the DynamoDB permissions, click Edit policy.
  2. In the JSON tab, replace the value in the Resource field with the ARN of the DynamoDb table previously created in Creating the AWS DynamoDb tableTo get this ARN in the DynamoDB service console, go to the Table details section and click the Overview tab. 

Limiting AWS Private Certificate Manager permissions (optional)

You may wish to limit Certificate Manager Private CA permissions to the CA(s) the Lambda code will access. As the policy already attached to the Lambda role is a pre-packaged AWS-managed policy, you won’t be able to edit it. Instead, you’ll have to create a policy.

To limit the Private Certificate Manager permissions

  1. Remove the AWSCertificateManagerPrivateCAReadOnly policy by clicking the X to the right of it. Confirm this action when prompted.
  2. Click Attach policies.
  3. Click Create policy.
  4. Create the policy either via the Visual editor or the JSON editor. 

Creating the AWS EventBridge rule

Create an AWS EventBridge rule for invoking the Lambda function.

To create an EventBridge rule

  1. Search for Amazon EventBridge in the search box at the top of the AWS Management Console.
  2. Navigate to the main page of the Amazon EventBridge service. 
  3. Select Create rule.
  4.  Provide a name and description for the rule.
  5. In the Define pattern section, select Event pattern
  6. in Event matching pattern, select Pre-defined pattern by service.
  7.  In Service provider select AWS.
  8.  In Service name, select Certificate Manager Private CA.
  9. In Event type select AWS API Call via CloudTrail.
  10. Select Specific operation(s) instead of the default Any operation.
  11. Add the IssueCertificate and RevokeCertificate operations.

  12. Review the configuration. The Event pattern should look like this. 

    {
    "source": ["aws.acm-pca"],
    "detail-type": ["AWS API Call via CloudTrail"],
    "detail": {
    "eventSource": ["acm-pca.amazonaws.com"],
    "eventName": ["IssueCertificate", "RevokeCertificate"]
    }
  13. In the Select event bus section, select AWS default event bus (selected by default).
  14. In the Select targets section under the first Target, select Lambda function (selected by default).
  15. Under Function select the Lambda function previously created in Creating the AWS Lambda function.
  16. Click Create.

Configuring the AWS DynamoDB table in CA Gateway

Edit the CA Gateway  application.yml file and configure the following in the AWS-managed CA settings.

Setting

Value

properties.certificate-events-storage-method

“DynamoDb”

properties.dynamodb-table-name

The table name selected in Creating the AWS DynamoDb table .

For example:

AWSWITHDYNAMODB:
        name: "AWS Private Root CA"
        issuer-dn: "L=Dallas, CN=WY Root CA 1, ST=Texas, OU=Terraforming, O=Weylan-Yutani Corporation, C=US"
        connector-name: com.entrust.awsca
        properties:
          aws-region: "us-east-1"
          aws-ca-arn: "arn:aws:acm-pca:us-east-1:422825380052:certificate-authority/2b33862c-e9f0-490d-9a3a-ad74476f7bca"
          aws-ca-s3-crl-arn: ""
          aws-ca-audit-report-s3-bucket-name: "cagw-audit-report"
          aws-api-url: "https://acm-pca.us-east-1.amazonaws.com:443/"
          aws-user-login-url: "https://edc-admin-services-dev.signin.aws.amazon.com/console"
          aws-user-arn: "arn:aws:iam::422825380052:user/cagw-ca-user"
          aws-user-access-key-id: "ABCDEFG1234567890123"
          aws-user-secret-access-key: "ABCDEFG123456789012345678901234567890123"
          certificate-events-storage-method: "DynamoDb"
          dynamodb-table-name: "certificate-events"