Thursday, May 15, 2014

AWS IAM - How to Create a User Signing Certificate

Currently, AWS IAM doesn't have an API action to create signing certificates, so you must use a third-party tool such as OpenSSL to create the certificate first. We recommend you create an RSA key that is either 1024-bit or 2048-bit in length. The certificate can be self-signed, and the key and certificate must be in PEM format.

The Singing certificates are used in only some services. For example, SOAP requests, even though AWS is deprecating SOAP.

Create a user Certificate using openSSL:
Install openssl
# yum install mod_ssl openssl

Generate a private key:
# openssl req -new -x509 openssl genrsa 2048 > tony.pem

Generate a certificate using the private key. Because you are using a user signing certificate and not a server certificate, yuo don't need to submit a certificate signing request (CSR) to a Certificate Authority (CA).
# openssl req -new -x509 -nodes -sha1 -days 365 -key tony.pem -outform PEM > certificate.pem

Upload the certificate. When you upload the certificate, it returns a certificate ID that you can save for your records. However, if necessary, you can list the IDs for the user's certificates. You can delete a certificate at any time.

From Dashboard again, choose the user, under "Security Credentials" tab, you will see "Signing Certificates:" is active now.

No comments: