AWS network-firewall documentation change
Summary
Added detailed section on creating certificates for inbound TLS inspection using AWS Private CA, including OpenSSL configuration templates and AWS CLI commands
Security assessment
The change adds documentation about implementing TLS inspection certificates - a security feature - but does not address a specific vulnerability. It provides operational guidance rather than patching a security flaw.
Diff
diff --git a/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.md b/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.md index ab5a74269..7d6dc5e64 100644 --- a//network-firewall/latest/developerguide/tls-inspection-certificate-requirements.md +++ b//network-firewall/latest/developerguide/tls-inspection-certificate-requirements.md @@ -5 +5 @@ -General requirementsServer certificates - Inbound SSL/TLS inspectionCA certificate - Outbound SSL/TLS inspectionChecking certificate revocation status +General requirementsServer certificates - Inbound SSL/TLS inspectionCA certificate - Outbound SSL/TLS inspectionChecking certificate revocation statusCreating a certificate for inbound TLS inspection with AWS Private CA @@ -128,0 +129,73 @@ For information about troubleshooting issues related to certificate revocation, +## Creating a certificate for inbound TLS inspection with AWS Private CA + +You can use AWS Private CA to create certificates for inbound TLS inspection. This procedure shows you how to create a certificate that works with Network Firewall inbound inspection. + +###### Prerequisites + +Before you begin, verify that you have the following: + + * A certificate authority (CA) with ACTIVE status in AWS Private CA + + * OpenSSL installed on your system + + + + +###### To create a certificate for inbound TLS inspection + + 1. Create an OpenSSL configuration file named `openssl_temp.cnf`. Use the following template and modify the values for your environment. The `req_ext` section must have `basicConstraints` enabled. Adjust the `pathlen` value based on your Public Key Infrastructure (PKI) structure. + + [ req ] + default_bits = 2048 + prompt = no + default_md = sha256 + distinguished_name = dn + req_extensions = req_ext + + [ dn ] + C = US + ST = Your-State + L = Your-City + O = Your-Organization + OU = Your-Organizational-Unit + CN = <domain name here> + + [ req_ext ] + basicConstraints = critical, CA:TRUE, pathlen:0 + keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign, cRLSign + extendedKeyUsage = critical, serverAuth, clientAuth + subjectAltName = @alt_names + + [ alt_names ] + DNS.1 = <DNS Name here> + + + 2. Generate a private key using OpenSSL. + + openssl genrsa -out key.pem 2048 + + 3. Create a Certificate Signing Request (CSR) using your configuration file. + + openssl req -new -sha256 -key key.pem -nodes -out req.csr -config openssl_temp.cnf + + 4. Sign the certificate with AWS Private CA. Replace the placeholder values with your actual ARN and region. Adjust the template ARN if your `pathlen` value differs. + + aws acm-pca issue-certificate --certificate-authority-arn <pca_arn> --csr fileb://req.csr --signing-algorithm SHA256WITHRSA --validity Value=365,Type="DAYS" --template-arn arn:aws:acm-pca:::template/BlankSubordinateCACertificate_PathLen0_CSRPassthrough/V1 --region <region> --output json + + 5. Export the signed certificate from AWS Private CA. Use the certificate ARN from the previous step. + + aws acm-pca get-certificate --certificate-arn <cert_arn_from_previous_step> --certificate-authority-arn <pca_arn> --region <region> --output json | jq -r '.Certificate, .CertificateChain' + + 6. Upload the certificate to AWS Certificate Manager (ACM). The command output provides two certificate sections in PEM format. Use the first section as the certificate body, the second section as the certificate chain, and the `key.pem` file from step 2 as the private key. + + -----BEGIN CERTIFICATE----- + <Certificate body> + -----END CERTIFICATE----- + -----BEGIN CERTIFICATE----- + <Certificate chain> + -----END CERTIFICATE----- + + + + +