feature addition: store cert/key in s3

[tkellen]

Hello! Thank you so much for making this tool, it does almost exactly what I need it to :)

I have a few use-cases in which I need access to the private key of a generated certificate. As this is not accessible once stored in ACM, would you accept a PR that introduces support for storing certs/private keys in s3 as an alternative destination?

[begmaroman]

@tkellen Hello!
I like your idea, but I propose to do a little different. Since a private key is secret data, I propose to store a private key in the secrets manager. What do you think about this idea?

[tkellen]

Ah yes, that makes more sense, I have no idea why I didn't suggest that from the outset!

Would you feel equally supportive of my implementing this to store the private key as an encrypted string parameter in SSM (and the cert as an unencrypted one) instead? I am in the process of migrating away from secrets manager because I don't use the secret rotation functionality.

[begmaroman]

@tkellen I think we can do the script more flexible and support multiple storages for private keys by passing an argument like --private-store s3

[tkellen]

Sounds good to me! I can cover the secretsmanager and parameter store one as well. I'll try to take a look in the next week or so and open a simple WIP PR for your feedback on the implementation before I go too far.

[begmaroman]

@tkellen will glad to look at a PR, thanks :)

[RichardBradley]

Did anything come of this? I'm looking for the same thing.
I will create a PR, unless you have one that just hasn't been published yet and would be willing to publish it?

[RichardBradley]

Actually, I think it's going to be more work for me to adapt this tool to do what I want than to write my own script, so I won't make a PR. Thanks anyway.

It seems strange to me to store the certs in ACM, which doesn't allow exporting. If you need a cert in ACM for something like ALB where you don't need the private key, why not use the ACM provided certs directly?

[mkozjak]

@tkellen Thoughts on this one? Decided to move to another solution? Any recommendations?

[tkellen]

Wound up minting certs with terraform/letsencrypt thusly

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
  # for testing server_url = "https://acme-staging-v02.api.letsencrypt.org/directory"
}

resource "tls_private_key" "account" {
  algorithm = "RSA"
}

resource "acme_registration" "main" {
  account_key_pem = tls_private_key.account.private_key_pem
  email_address   = local.config.admin_email
}

resource "acme_certificate" "certificate" {
  account_key_pem           = acme_registration.main.account_key_pem
  common_name               = "${local.config.env}.${local.config.domain}"
  subject_alternative_names = [
    "*.${local.config.env}.${local.config.domain}"
  ]
  dns_challenge {
    provider = "route53"
    config = {
      AWS_PROFILE = "training"
      AWS_DEFAULT_REGION = "us-east-1"
    }
  }
}