ScriptAutomate
Backup Generated Certificates / Keys
It would be ideal if the certificates generated by a first-time deployment were stored somewhere, in either S3 or Parameter Store w/ AWS KMS.
AWS did a blog post with multiple ways of approaching certificate management, and the storing of certificates for retrieval:
This points out how S3 may be a better path, even if more complex:
Currently, there is a limitation of 4,096 characters that can be stored in Parameter Store. This may not be sufficient for some type of certificates. For example, some x509 certs include the chain and so can exceed the 4,096 character limit. To avoid any character size limitation, Amazon S3 can be used to store the certificate with Parameter Store. The certificate can be stored on Amazon S3, encrypted with KMS and the private key, or the password can be stored in Parameter Store.
With this approach, there is no limitation on certificate length and the private key remains secured with KMS. However, it does involve some additional complexity in setting up the process of creating the certificates, storing them in S3, and then storing the password or private keys in Parameter Store. That is in addition to securing, trusting, and auditing the system handling the private keys and certificates.
This would allow for expanded capabilities for things like:
- Not having to reissue certificates everytime the instance is destroyed/re-deployed, which is what would happen if the CFN template targets a new AMI
- This can allow for certain patch strategies that simple involve redeploying an instance rather than applying updates/restarts in place
- Opportunities for HA with multiple OpenVPN instances, allowing for retrieval of the same sets of base certificates and keys necessary for OpenVPN configuration
- This also can apply to a potential future of using a container-based solution rather than EC2 instances, and using S3 calls to pull down certificates (or simply mounting a shared volume where the certificates may already reside)
