Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(acm): Ability to generate and import self-signed certificates to ACM #21115

Open
2 tasks
tmokmss opened this issue Jul 13, 2022 · 3 comments
Open
2 tasks

(acm): Ability to generate and import self-signed certificates to ACM #21115

tmokmss opened this issue Jul 13, 2022 · 3 comments
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@tmokmss
Copy link
Contributor

tmokmss commented Jul 13, 2022
edited
Loading

Describe the feature

Like the feature implemented on Terraform, we'd like to generate a self-signed certificate within CDK, and import it to ACM.

The API on Terraform is like below. We can basically follow this design.

resource "tls_private_key" "example" {
  algorithm = "RSA"
}

resource "tls_self_signed_cert" "example" {
  key_algorithm   = "RSA"
  private_key_pem = tls_private_key.example.private_key_pem

  subject {
    common_name  = "example.com"
    organization = "ACME Examples, Inc"
  }

  validity_period_hours = 12

  allowed_uses = [
    "key_encipherment",
    "digital_signature",
    "server_auth",
  ]
}

resource "aws_acm_certificate" "cert" {
  private_key      = tls_private_key.example.private_key_pem
  certificate_body = tls_self_signed_cert.example.cert_pem
}

Use Case

Currently we cannot create an ACM certificate without 1. creating a Route 53 hosted zone or 2. creating a private certificate authority (doc). When I want to quickly test some TLS feature, I sometimes get frustrated since creating them properly is troublesome and difficult.

Although we can generate a self-signed certificate locally and import it via the management console or AWS API, it would be really great if we could do it just using CDK.

Proposed Solution

Because CloudFormation does not support natively to import a certificate to ACM, we have to create a custom resource construct to do that. Additionally, we need a feature to generate a TLS certificate as in Terrafrom and pass it to the custom resource.

Other Information

Since using self-signed certificates is often not following security best practice, a warning should be clearly noted like in Terraform docs.

Self-signed certificates are usually used only in development environments or applications deployed internally to an organization. Certificates of this type are generally not trusted by client software such as web browsers. Therefore clients are likely to generate trust warnings when connecting to a server that has a self-signed certificate.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.26.0

Environment details (OS name and version, etc.)

macOS
@tmokmss tmokmss added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Jul 13, 2022
@github-actions github-actions bot added the @aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager label Jul 13, 2022
@peterwoodworth peterwoodworth added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jul 28, 2022
@peterwoodworth
Copy link
Contributor

Thanks for the suggestion!

I am marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization.

Check out our contributing guide if you're interested in contributing yourself - there's a low chance the team will be able to address this soon but we'd be happy to review a PR 🙂

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 7, 2024

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.

@github-actions github-actions bot added p1 and removed p2 labels Jan 7, 2024
@pahud pahud added p2 and removed p1 labels Jun 11, 2024
@ADiTuri
Copy link

ADiTuri commented Nov 25, 2024

Interested in the feature as well, any news if this is in the roadmap?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-certificatemanager Related to Amazon Certificate Manager effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pahud @tmokmss @peterwoodworth @comcalvi @ADiTuri