Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACM: Add ability when requesting a PrivateCertificate to choose Key Algorithm #22887

Closed
2 tasks
hscheib opened this issue Nov 11, 2022 · 5 comments · Fixed by #28597 · May be fixed by stack-spot/app-handler-functions-template#2, stack-spot/eks-env-ts-template#2 or stack-spot/web-react-deploy#4
Closed
2 tasks

ACM: Add ability when requesting a PrivateCertificate to choose Key Algorithm #22887

hscheib opened this issue Nov 11, 2022 · 5 comments · Fixed by #28597 · May be fixed by stack-spot/app-handler-functions-template#2, stack-spot/eks-env-ts-template#2 or stack-spot/web-react-deploy#4
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2

Comments

@hscheib
Copy link

hscheib commented Nov 11, 2022

Describe the feature

In the AWS ACM console, when requesting a new private certificate, I can select between the key algorithms: RSA 2048, ECDSA P 384, and ECDSA P 258.

In CDK, there is not a way to set the key algorithm and when requesting a cert, and it defaults to RSA 2048(which causes the cert to become a failed state because of the private CA being Elliptic Curve based).

Use Case

We use AWS private certificate authority service and have a CA set as ECDSA P384. To use this private CA we need to be able to generate certs via CDK. Currently, when creating a private cert with CDK, it defaults to RSA 2048 which lands the certificate in a FAILED state since it doesn't match the private certificate authority config.

Proposed Solution

Add a keyAlgorithm property to the PrivateCertificate contruct.

    const cert = new acm.PrivateCertificate(this, 'certificate', {
      domainName: props.certDomain,
      keyAlgorithm: "ECDSAP384"
      certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
        props.certificateAuthorityArn),
    });

Other Information

The only solution that works is to use an RSA based private CA and then cdk cert generation will work since the key algorithm is defaulted to RSA. Otherwise we manually create a certificate in the ACM console and select the key algorithm we expect and reference that certificate ARN in our cdk code.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.48.0

Environment details (OS name and version, etc.)

macOS version 12.5.1
@hscheib hscheib added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 11, 2022
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Nov 11, 2022
@peterwoodworth
Copy link
Contributor

It doesn't look like there's an option on the CloudFormation resource itself, so unfortunately there's not much we can do here.

I recommend opening an issue in the CloudFormation Coverage Roadmap to request this functionality, it doesn't look like there's one open yet 🙂

Until we support this, you may want to use an AwsCustomResource to make the RequestCertificate API call where you can specify the KeyAlgorithm

@peterwoodworth peterwoodworth added p2 effort/small Small work item – less than a day of effort needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. and removed needs-triage This issue or PR still needs to be triaged. labels Nov 12, 2022
@hscheib
Copy link
Author

hscheib commented Nov 15, 2022

Thank you. You are correct, I didn't do my due diligence checking CloudFormation(I incorrectly assumed CloudFormation is up to date with AWS API). I went ahead and requested the feature in the CloudFormation Roadmap aws-cloudformation/cloudformation-coverage-roadmap#1401

I tried out the AwsCustomResource and it semi worked but ultimately will not be using it. It worked in the sense that the RequestCertificate API call did happen and the certificate did create. BUT there is a small amount of time where the certificate is in "status: ISSUING" and cannot be attached/used. I don't think the AwsCustomResource knows about that time delay so the CDK stack tries to immediately move on and assign the certificate ARN to a resource and ends up failing. When I go back to acm.PrivateCertificate with defaulted key algorithm RSA2048, the stack succeeds every time.

Should I leave this open (pending CloudFormation support issue I linked)? Otherwise we can close this request.

@peterwoodworth
Copy link
Contributor

We can leave this open so that if anyone in the future runs into this they'll know to look to the CloudFormation issue in the roadmap 🙂

For the custom resource, it makes sense you ran into that issue, should've checked to verify that workaround would fully work 😅. I think you can implement your own custom resource by creating your own provider, that way you can make use of the isCompleteHandler functionality. I'm not sure exactly how you would accomplish this in this use case, but if you're still interested in finding a workaround this could be a fruitful path

@longtv2222 longtv2222 mentioned this issue Jan 6, 2024
Merged
@mergify mergify bot closed this as completed in #28597 Jan 9, 2024
mergify bot pushed a commit that referenced this issue Jan 9, 2024
@longtv2222
feat(certificatemanager): key algorithm support for `PrivateCertifica…
1822cc9 
…te` and `Certificate` (#28597)

Add support for key algorithm when requesting a certificate

`keyAlgorithm` support for `DnsValidatedCertificate` is not supported since the construct was _deprecated_. Added a warning if user tries to use `keyAlgorithm` for the construct instead.

CloudFormation docs for [key algorithm](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-certificatemanager-certificate.html#cfn-certificatemanager-certificate-keyalgorithm).

Closes #22887.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 9, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

This was referenced Feb 10, 2024
Open
Open
Open
@lasley
Copy link

lasley commented Feb 29, 2024

Future internet peepz, this was integrated into the Certificate construct under the keyAlgorithm property

https://github.com/aws/aws-cdk/pull/28597/files

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_certificatemanager.Certificate.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. needs-cfn This issue is waiting on changes to CloudFormation before it can be addressed. p2
Projects
None yet
Milestone
No milestone
4 participants
@hscheib @lasley @peterwoodworth @comcalvi