ACM: Add ability when requesting a PrivateCertificate to choose Key Algorithm

[hscheib]

Describe the feature

In the AWS ACM console, when requesting a new private certificate, I can select between the key algorithms: RSA 2048, ECDSA P 384, and ECDSA P 258.

In CDK, there is not a way to set the key algorithm and when requesting a cert, and it defaults to RSA 2048(which causes the cert to become a failed state because of the private CA being Elliptic Curve based).

Use Case

We use AWS private certificate authority service and have a CA set as ECDSA P384. To use this private CA we need to be able to generate certs via CDK. Currently, when creating a private cert with CDK, it defaults to RSA 2048 which lands the certificate in a FAILED state since it doesn't match the private certificate authority config.

Proposed Solution

Add a keyAlgorithm property to the PrivateCertificate contruct.

    const cert = new acm.PrivateCertificate(this, 'certificate', {
      domainName: props.certDomain,
      keyAlgorithm: "ECDSAP384"
      certificateAuthority: acmpca.CertificateAuthority.fromCertificateAuthorityArn(this, 'CA',
        props.certificateAuthorityArn),
    });

Other Information

The only solution that works is to use an RSA based private CA and then cdk cert generation will work since the key algorithm is defaulted to RSA. Otherwise we manually create a certificate in the ACM console and select the key algorithm we expect and reference that certificate ARN in our cdk code.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.48.0

Environment details (OS name and version, etc.)

macOS version 12.5.1

[peterwoodworth]

It doesn't look like there's an option on the CloudFormation resource itself, so unfortunately there's not much we can do here.

I recommend opening an issue in the CloudFormation Coverage Roadmap to request this functionality, it doesn't look like there's one open yet 🙂

Until we support this, you may want to use an AwsCustomResource to make the RequestCertificate API call where you can specify the KeyAlgorithm

[hscheib]

Thank you. You are correct, I didn't do my due diligence checking CloudFormation(I incorrectly assumed CloudFormation is up to date with AWS API). I went ahead and requested the feature in the CloudFormation Roadmap aws-cloudformation/cloudformation-coverage-roadmap#1401

I tried out the AwsCustomResource and it semi worked but ultimately will not be using it. It worked in the sense that the RequestCertificate API call did happen and the certificate did create. BUT there is a small amount of time where the certificate is in "status: ISSUING" and cannot be attached/used. I don't think the AwsCustomResource knows about that time delay so the CDK stack tries to immediately move on and assign the certificate ARN to a resource and ends up failing. When I go back to acm.PrivateCertificate with defaulted key algorithm RSA2048, the stack succeeds every time.

Should I leave this open (pending CloudFormation support issue I linked)? Otherwise we can close this request.

[peterwoodworth]

We can leave this open so that if anyone in the future runs into this they'll know to look to the CloudFormation issue in the roadmap 🙂

For the custom resource, it makes sense you ran into that issue, should've checked to verify that workaround would fully work 😅. I think you can implement your own custom resource by creating your own provider, that way you can make use of the isCompleteHandler functionality. I'm not sure exactly how you would accomplish this in this use case, but if you're still interested in finding a workaround this could be a fruitful path