AWS S3 Publisher

ENTERPRISE This is an EJBCA Enterprise feature.

The AWS S3 publisher stores certificates and CRLs generated in EJBCA to an AWS S3 bucket. The publisher uses the AWS CLI to perform the S3 bucket operations. The AWS CLI is installed by default on the AWS EJBCA Cloud instance, and may be installed separately on other EJBCA software installations.

For more information on the AWS S3 Publisher, refer to the EJBCA Cloud documentation.

The following provides a brief description of the available options:

  • S3 Bucket Name for CRLs: Enter the S3 bucket name for CRLs. For example, s3crlbucket. Validation is in place for the bucket naming restrictions specified in the AWS documentation Bucket Restrictions. The bucket must have been previously created.

  • S3 Key Prefix for CRLs (optional): Optionally specify a key prefix. The key prefix will be created when a CRL file is copied to the bucket. The key prefix may have multiple levels separated by "/" (for example, mykeyprefixa/mykeyprefixb). Validation is in place for the Safe Characters specified in the AWS documentation Object Key and Metadata. Characters That May Require Special Handling are not allowed.

  • CRL file format: Select the encoding method for CRLs (DER or PEM).

  • CRL file name: Select the value to use for the CRL file name: CA SHA-1 Fingerprint (the fingerprint of the CA certificate that issued the CRL) or CA CN/SN/O (the CN part of the issuer DN, or DN SERIALNUMBER if CN does not exist, or O if neither of the previous exist).

  • S3 Bucket Name for Certificates: Enter the S3 bucket name for certificates. For example, s3crlbucket. Validation is in place for the bucket naming restrictions specified in the AWS documentation Bucket Restrictions. The bucket must have been previously created.

  • S3 Key Prefix for Certificates (optional): Optionally specify a key prefix. The key prefix will be created when a certificate file is copied to the bucket. The key prefix may have multiple levels separated by "/" (for example, mykeyprefixa/mykeyprefixb). Validation is in place for the Safe Characters specified in the AWS documentation Object Key and Metadata. Characters That May Require Special Handling are not allowed.

  • Certificate file format: Select the encoding method for certificates (DER or PEM).

  • Store active and revoked Certificates in separate paths: If enabled, active and revoked certificates will be stored in separate paths (active/ or revoked/). For example, an active certificate would be stored as s3://s3certbucket/myprefixb/ManagementCA/active/614fa28653d1ec24e97dad02c3a2d077c3a9f1d9. When an active certificate is revoked, the certificate will be stored under "revoked" and deleted from "active", and vice versa. If this option is not enabled, certificates will be stored directly under the Issuer CA DN subpath. If the same certificate is published again (active or revoked), it will overwrite the existing file (e.g. s3://s3certbucket/myprefixb/ManagementCA/614fa28653d1ec24e97dad02c3a2d077c3a9f1d9).

  • Certificate file name: Select the value to use for the certificate file name: Serial Number, SHA-1 Fingerprint, or SHA-256 Fingerprint.