CRL and CA Cert Locations
In all cases, CRLs and CA certificates are published to the external S3 bucket, which is not directly accessible from the public Internet.
If you choose to publish CRLs and CA certificates:
- Domain name is that of the hosted zone in your CA AWS account
- CA certificates are made available via CloudFront
- Authority Information Access (AIA) extension added to issued certificates with CA certificate location
- CRL Distribution Point (CDP) extension added to issued certificates with CRL location
- CRLs are published to CloudFront
- For details on how to revoke a certificate, see Revocation
- File names are constructed using the
project_nameandenvironmentTerraform variables
See Revocation for details of how to enable public CRLs and CA certs.
Example locations
- locations below for an example deployment in the terraform-aws-ca repository.
- infrastructure deployed by a GitHub Actions test workflow in the terraform-aws-ca repository.
project_nameisserverlessandenvironmentis eitherdev(not deployed, for illustration only) orprod(deployed)- environment suffix automatically omitted for
prodorprdenvironment:
CRL Distribution Point (CDP) - DER format
| environment | hosted zone domain | CDP - Root CA | CDP - Issuing CA |
|---|---|---|---|
| dev * | dev.ca.celidor.io | http://dev.ca.celidor.io/serverless-root-ca-dev.crl | http://dev.ca.celidor.io/serverless-issuing-ca-dev.crl |
| prod | ca.celidor.io | http://ca.celidor.io/serverless-root-ca.crl | http://ca.celidor.io/serverless-issuing-ca.crl |
devenvironment not deployed, for illustration only
CRL - PEM format
| environment | hosted zone domain | Root CA | Issuing CA |
|---|---|---|---|
| dev * | dev.ca.celidor.io | http://dev.ca.celidor.io/serverless-root-ca-dev.crl.pem | http://dev.ca.celidor.io/serverless-issuing-ca-dev.crl.pem |
| prod | ca.celidor.io | http://ca.celidor.io/serverless-root-ca.crl.pem | http://ca.celidor.io/serverless-issuing-ca.crl.pem |
devenvironment not deployed, for illustration only
Authority Information Access (AIA)
| environment | hosted zone domain | AIA - Root CA | AIA - Issuing CA |
|---|---|---|---|
| dev * | dev.ca.celidor.io | http://dev.ca.celidor.io/serverless-root-ca-dev.crt | http://dev.ca.celidor.io/serverless-issuing-ca-dev.crt |
| prod | ca.celidor.io | http://ca.celidor.io/serverless-root-ca.crt | http://ca.celidor.io/serverless-issuing-ca.crt |
devenvironment not deployed, for illustration only
CA Bundle (for TrustStore)
| environment | hosted zone domain | CA Bundle |
|---|---|---|
| dev * | dev.ca.celidor.io | http://dev.ca.celidor.io/serverless-ca-bundle-dev.pem |
| prod | ca.celidor.io | http://ca.celidor.io/serverless-ca-bundle.pem |
devenvironment not deployed, for illustration only