AWS WorkSpace - allow only trusted devices with certificate authentication

Question

I am trying to implement Allow only trusted devices feature on AWS Workspaces with simple AD.

Can someone please guide me how to generate self-signed root & client certificate with following features.

Certificates must be Base64-encoded certificate files in CRT, CERT, or PEM format. Certificates must include a Common Name. The maximum length of certificate chain supported is 4. Amazon WorkSpaces does not currently support device revocation mechanisms, such as certificate revocation lists (CRL) or Online Certificate Status Protocol (OCSP), for client certificates. Use a strong encryption algorithm. We recommend SHA256 with RSA, SHA256 with CEDSA, SHA381 with CEDSA, or SHA512 with CEDSA.

Answer 1

You need to create CA first:

SERVER_NAME=fred
DOMAIN_NAME=domain.local

export $SERVER_NAME $DOMAIN_NAME

openssl genrsa -out CA_$SERVER_NAME.$DOMAIN_NAME.key 2048 

openssl req -x509 -new -nodes -key CA_$SERVER_NAME.$DOMAIN_NAME.key -sha256 -days 1024 -out CA_$SERVER_NAME.$DOMAIN_NAME.pem -subj "/C=GB/ST=MyCounty/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=$SERVER_NAME.$DOMAIN_NAME

Then you can create certificates signed from the CA you just created.

openssl genrsa -out $SERVER_NAME.$DOMAIN_NAME.key 2048

openssl req -new -key $SERVER_NAME.$DOMAIN_NAME.key -out $SERVER_NAME.$DOMAIN_NAME.csr -subj "/C=GB/ST=MyCounty/L=MyTown/O=MyOrganisation/OU=MyOrganisationUnit/CN=$SERVER_NAME.$DOMAIN_NAME.client"

openssl x509 -req -in $SERVER_NAME.$DOMAIN_NAME.csr -CA CA_$SERVER_NAME.$DOMAIN_NAME.pem -CAkey CA_$SERVER_NAME.$DOMAIN_NAME.key -CAcreateserial -out $SERVER_NAME.$DOMAIN_NAME.crt -days 365 -sha256

Now you have a CA and a certificate created, you can test that the certificate is created from the CA by running:

openssl verify -CAfile CA_fred.domain.local.pem fred.domain.local.crt