AWS Certificate Manager
Learn how to configure an AWS Certificate Manager Certificate Sync for KMS PKI.
Prerequisites:
- Create an AWS Connection
The AWS Certificate Manager Certificate Sync requires the following ACM permissions to be set on the IAM user/role
for Hanzo KMS to sync certificates to AWS Certificate Manager: acm:ListCertificates, acm:DescribeCertificate, acm:ImportCertificate, acm:DeleteCertificate, and acm:ListTagsForCertificate.
These permissions allow Hanzo KMS to list, import, tag, and manage certificates in your AWS Certificate Manager service.
Certificates synced to AWS Certificate Manager will be stored as imported certificates, preserving both the certificate and private key components.
-
Navigate to Project > Integrations > Certificate Syncs and press Add Sync.
-
Select the AWS Certificate Manager option.
-
Configure the Destination to where certificates should be deployed, then click Next.
- AWS Connection: The AWS Connection to authenticate with.
- AWS Region: The AWS region where certificates should be stored.
- Configure the Sync Options to specify how certificates should be synced, then click Next.
- Enable Removal of Expired/Revoked Certificates: If enabled, Hanzo KMS will remove certificates from the destination if they are no longer active in Hanzo KMS.
- Preserve ARN on Renewal: If enabled, Hanzo KMS will sync renewed certificates to the destination under the same ARN as the original synced certificate instead of creating a new certificate with a new ARN.
- Include Root CA: If enabled, the Root CA certificate will be included in the certificate chain when syncing to AWS Certificate Manager. If disabled, only intermediate certificates will be included.
- Certificate Name Schema (Optional): Customize how certificate tags are generated in AWS Certificate Manager. Must include
{{certificateId}}as a placeholder for the certificate ID to ensure proper certificate identification and management. If not specified, defaults toHanzo KMS-{{certificateId}}. - Auto-Sync Enabled: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.
-
Configure the Details of your AWS Certificate Manager Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
-
Select which certificates should be synced to AWS Certificate Manager.
-
Review your AWS Certificate Manager Certificate Sync configuration, then click Create Sync.
-
If enabled, your AWS Certificate Manager Certificate Sync will begin syncing your certificates to the destination endpoint.
To create an AWS Certificate Manager Certificate Sync, make an API request to the Create AWS Certificate Manager Certificate Sync API endpoint.
Sample request
You can optionally specify certificateIds during sync creation to immediately add certificates to the sync.
If not provided, you can add certificates later using the certificate management endpoints.
curl --request POST \
--url https://app.kms.hanzo.ai/api/v1/cert-manager/syncs/aws-certificate-manager \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
"name": "my-acm-cert-sync",
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"description": "an example certificate sync",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"destination": "aws-certificate-manager",
"isAutoSyncEnabled": true,
"certificateIds": [
"550e8400-e29b-41d4-a716-446655440000",
"660f1234-e29b-41d4-a716-446655440001"
],
"syncOptions": {
"canRemoveCertificates": true,
"preserveArnOnRenewal": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"destinationConfig": {
"region": "us-east-1"
}
}'Sample response
{
"pkiSync": {
"id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"name": "my-acm-cert-sync",
"description": "an example certificate sync",
"destination": "aws-certificate-manager",
"isAutoSyncEnabled": true,
"destinationConfig": {
"region": "us-east-1"
},
"syncOptions": {
"canRemoveCertificates": true,
"preserveArnOnRenewal": true,
"includeRootCa": false,
"certificateNameSchema": "myapp-{{certificateId}}"
},
"projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
"createdAt": "2023-01-01T00:00:00.000Z",
"updatedAt": "2023-01-01T00:00:00.000Z"
}
}Certificate Management
The AWS Certificate Manager Certificate Sync provides:
- Automatic Deployment: Deploy certificates in Hanzo KMS to AWS Certificate Manager.
- Certificate Updates: Update certificates in AWS Certificate Manager when renewals occur.
- Expiration Handling: Optionally remove expired certificates from AWS Certificate Manager (if enabled).
- Tagging: Automatically tag certificates with an Hanzo KMSCertificate tag for easy identification and management.
AWS Certificate Manager Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.
Manual Certificate Sync
You can manually trigger certificate synchronization to AWS Certificate Manager using the sync certificates functionality. This is useful for:
- Initial setup when you have existing certificates to deploy
- One-time sync of specific certificates
- Testing certificate sync configurations
- Force sync after making changes
To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Hanzo KMS UI.
FAQ
AWS Certificate Manager does not support importing certificates back into Hanzo KMS due to security limitations where private keys cannot be extracted from AWS Certificate Manager. Only certificates imported into ACM (not AWS-issued certificates) can be managed by the sync.
How is this guide?
Last updated on