Search code examples
amazon-web-servicessecuritysslcertificateamazon-emr

How do I generate a trustedCertificates.pem and certificateChain.pem file for Amazon EMR?

I'm trying to encrypt TLS traffic in transit between EMR nodes. The example on the AWS website uses a self-signed certificate.

Because this is all within my private network, I have generated a root CA certificate with a private key that is tightly secured. I then have a derived certificate which can perform key encipherment", digital signature, and server auth.

Let's call the root CA certificate A, and the derived certificate B.

EMR says that I need to upload a zipfile to s3 containing 2 required files and one optional file:

  • privateKey.pem is required,

  • certificateChain.pem is required

  • and trustedCertificates.pem is optional

For privateKey.pem, I assume I can just use the private key associated with certificate B.

  1. For certificateChain.pem, do I need the contents of the certificate B concatenated with certificate A or do I just need the contents of certificate A?
  2. For trustedCertificates.pem do I need the contents of certificate A or of certificate B?
Solution

  • If you follow this AWS script as per the documentation you will find that trustedCertificates.pem and certificateChain.pem are the same file (via a file copy).

    openssl req -x509 -newkey rsa:2048 -keyout privateKey.pem -out certificateChain.pem -days 365 -nodes -subj '/C=US/S=Washington/L=Seattle/O=MyOrg/OU=MyDept/CN=*.ec2.internal'

cp certificateChain.pem trustedCertificates.pem

zip -r -X certs.zip privateKey.pem certificateChain.pem trustedCertificates.pem

    EMR Create Certificate Script

    You are complicating things by creating a root certificate, which is not necessary. Follow the AWS documentation on setting up TLS on EMR:

    Secure Amazon EMR with Encryption

    The zip file that you upload to S3 contains three files, privateKey.pem, certificateChain.pem and trustedCertificates.pem. Two of which are the same file with different names.

    [EDIT after a very long comment thread on certificates]

    When you create a self signed root certificate, all certificates that it signs are also self signed. A certificate is verified by verifying each certificate up the chain to the root. If the root certificate is untrusted, then all certificates are untrusted.

    AWS offers a certificate management service where you can be your own CA. However, this is very expensive. If you are a large company, a bank or financial institution, etc. then this AWS service is very useful.

    For Amazon EMR, using a single self signed certificate is OK. The reasoning is that you are in full control over the systems that are using the certificate. You would not want to use a self signed certificate if any part of the system is providing public access.

    One item that confused the OP is the difference between a trusted certificate and the certificate chain. In his example, since their is only the root certificate and not intermediary certificates, the trusted and chain are the same item. Only if he had created another signing certificate that was used to sign the last certificate would the certificate chain be different (there would be the root certificate and the signing certificate).