Skip to main content
Skip table of contents

AWS S3 Publisher

ENTERPRISE

The AWS S3 publisher stores certificates and CRLs generated in EJBCA to an AWS S3 bucket. The publisher works with AWS in one of two ways:

  • Connecting via the AWS CLI to perform the S3 bucket operations. The AWS CLI is installed by default on the AWS EJBCA Cloud instance, and may be installed separately on other EJBCA software installations.

  • Connecting directly to AWS to perform the S3 bucket operations. This option does not require the AWS CLI to be installed on the EJBCA instance and can therefore be used in situations where the AWS CLI is not available, such as the EJBCA Appliance or EJBCA SaaS. This is the recommended configuration when publishing to S3.

For more information on the AWS S3 Publisher, refer to the EJBCA Cloud documentation.

The following provides a brief description of the available options:

  • S3 Authentication Type: 

    • Access Key and Secret: Use long-term credentials for an IAM user to connect to S3. This option connects directly to AWS S3 and does not require the AWS CLI to be installed locally. For more information about acquiring these values, see the AWS Documentation on Manage access keys for IAM users.

    • IAM Role: Use the IAM role assigned to the host machine when authenticating to S3. This option requires EJBCA to be running on an EC2 instance with an assigned role. For more information on assigning a Role to an EC2 instance, see the AWS Documentation about IAM roles for Amazon EC2. This option connects directly to AWS S3 and does not require the AWS CLI to be installed locally.

    • Credentials from Local Filesystem: Use a local version of the AWS CLI program, installed on the current filesystem. This option cannot be used with Cloud or Appliance versions of EJBCA. It is considered a legacy configuration and is not recommended.

  • S3 Region: The region the S3 bucket is hosted in. This is only used when S3 Authentication Type is Access Key and Secret or IAM Role. For example, “us-east-1”.

  • S3 Access Key ID: The AWS IAM user’s long-term credential Key ID. This is only used when S3 Authentication Type is Access Key and Secret.

  • S3 Secret: The AWS IAM user’s long-term secret. This is only used when S3 Authentication Type is Access Key and Secret.

  • S3 Bucket Name for CRLs: Enter the S3 bucket name for CRLs, for example, s3crlbucket. Validation is in place for the bucket naming restrictions specified in the AWS documentation Bucket Restrictions. The bucket must have been previously created.

  • S3 Key Prefix for CRLs (optional): Optionally specify a key prefix. The key prefix will be created when a CRL file is copied to the bucket. The key prefix may have multiple levels separated by "/" (for example, mykeyprefixa/mykeyprefixb). Validation is in place for the Safe Characters specified in the AWS documentation Object Key and Metadata. Characters That May Require Special Handling are not allowed.

  • CRL file format: Select the encoding method for CRLs (DER or PEM).

  • CRL file name: Select the value to use for the CRL file name: CA SHA-1 Fingerprint (the fingerprint of the CA certificate that issued the CRL) or CA CN/SN/O (the CN part of the issuer DN, or DN SERIALNUMBER if CN does not exist, or O if neither of the previous exists).

  • S3 Bucket Name for Certificates: Enter the S3 bucket name for certificates. For example, s3crlbucket. Validation is in place for the bucket naming restrictions specified in the AWS documentation Bucket Restrictions. The bucket must have been previously created.

  • S3 Key Prefix for Certificates (optional): Optionally specify a key prefix. The key prefix will be created when a certificate file is copied to the bucket. The key prefix may have multiple levels separated by "/" (for example, mykeyprefixa/mykeyprefixb). Validation is in place for the Safe Characters specified in the AWS documentation Object Key and Metadata. Characters That May Require Special Handling are not allowed.

  • Certificate file format: Select the encoding method for certificates (DER or PEM).

  • Store active and revoked Certificates in separate paths: If enabled, active and revoked certificates will be stored in separate paths (active/ or revoked/). For example, an active certificate would be stored as s3://s3certbucket/myprefixb/ManagementCA/active/614fa28653d1ec24e97dad02c3a2d077c3a9f1d9. When an active certificate is revoked, the certificate will be stored under "revoked" and deleted from "active", and vice versa. If this option is not enabled, certificates will be stored directly under the Issuer CA DN subpath. If the same certificate is published again (active or revoked), it will overwrite the existing file (e.g. s3://s3certbucket/myprefixb/ManagementCA/614fa28653d1ec24e97dad02c3a2d077c3a9f1d9).

  • Certificate file name: Select the value to use for the certificate file name: Serial NumberSHA-1 Fingerprint, or SHA-256 Fingerprint.

For more information on the AWS S3 Publisher, refer to the EJBCA Cloud documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close