Export Client Certificate (ACM)
Export an AWS Certificate Manager client certificate to store in an AWS Secrets Manager secret.

Export the client certificate

Navigate to the AWS Certificate Manager (ACM) console and select the previously issued client certificate to show the details.
We use the client certificate with common name client-1 to illustrate the steps.
Note the certificate ARN from the Certificate status section, and the certificate authority ARN from the Details section.
Click Export to show the Export certificate form and fill in passphrase to encrypt the exported private key. Click Generate PEM Encoding to show the Exported certificate details.
Click Download next to the Certificate private key to download the encrypted private_key.txt.
Convert the client-1 private key to pkcs8 format, and enter the pass phrase generated when prompted, matching the pass phrase supplied when exporting the client certificate.
openssl pkcs8 -topk8 -nocrypt -in private_key.txt -out client-1.pkcs8.pem
This saves the private key to client-1.pkcs8.pem in pkcs8 format.

Store the encrypted secret

Now we need to create the secret value using the pkcs8 encoded private key as the secret value and with secret tags certificate-authority-arn referencing the private certificate authority, and certificate-arn referencing the newly signed certificate.
aws secretsmanager create-secret \
--region us-east-1 \
--name "client-1" \
--secret-string file://client-1.pkcs8.pem \
--tags '[{"Key":"certificate-authority-arn", "Value":"arn:aws:acm-pca:us-east-1:...:certificate-authority/..."}, {"Key":"certificate-arn", "Value":"arn:aws:acm-pca:us-east-1:...:certificate-authority/.../certificate/..."}]'
This secret can now be used by the Aklivity Public MSK Proxy to resolve private keys and their corresponding signed certificates to support TLS client authentication.
Note the ARN of the newly created secret for the client certificate's private key.
In the example above, private certificates are valid for 365 days, so you will need to renew the certificate and update the secret value accordingly before expiration. The latest secret value and corresponding private certificate are obtained automatically upon restarting the MSK Proxy instance.
Copy link
On this page
Export the client certificate
Store the encrypted secret