feat(pki): add AWS ACM Public CA support#6069
Open
saifsmailbox98 wants to merge 19 commits intomainfrom
Open
Conversation
Adds a new external CA type that issues, renews, and revokes public certificates via AWS Certificate Manager with Route 53 DNS validation. - New aws-acm-public-ca service module (client, fns, schemas, validators) - Route 53 DNS provider for ACM CNAME validation records - externalMetadata jsonb column on certificates (stores ARN/region) - Issuance queue tuned for ACM: 30 attempts with fixed backoff, retryable validation-pending errors, final-attempt request FAIL hook - Pre-flight validation rejects CSR, non-DNS SANs, subject fields, custom validity, and CA certs (ACM constraints) - Profile service restricts ACM CAs to API enrollment - v1/v2 list endpoints, ExternalCaModal UI, frontend types/hooks
- Wrap ACM/Route 53 preflight calls in createCertificateAuthority and updateCertificateAuthority so IAM errors surface as BadRequestError with the AWS message, instead of a generic 500. - Skip the fixed-validity TTL check on renewal — ACM sets validity itself and the TTL derived from the original cert can floor below 198 days. - Require notAfter to advance before exporting a renewed cert. ACM returns the original cert from ExportCertificate until the renewal is fully re-issued, which was causing duplicate-serial insert failures.
- Drop dead `calculateAcmRenewBeforeDays` clamp; profile schema already caps `renewBeforeDays` at 30, so the 198-day clamp never triggered. - Drop the redundant `basicConstraints` plumbing for the ACM validator; `certificate-v3-service.ts` already blocks CA issuance for all external CAs upstream. - Run pre-flight ACM input validation before the approval branch so bad inputs (TTL, SANs, subject fields) are rejected at submit time instead of after an approver has already approved. - Use serial-number comparison to detect a renewed cert body in ACM, instead of relying on `NotAfter` advancement (which can lag). - Persist `keyUsages` / `extendedKeyUsages` parsed from the issued cert rather than echoing the request, so DB matches what AWS actually issued. - Add docs page covering setup, IAM, auto-renewal, troubleshooting, and an FAQ; wire it into docs.json under the External CAs section.
- Call the upstream CA revoke before updating the local cert row, so a failed AWS call (e.g., a reason ACM rejects) doesn't leave the cert marked revoked locally while still active at the issuer. - Wrap the ACM RevokeCertificate call so AWS errors come back as a BadRequestError with the underlying message, instead of falling through to the generic "Something went wrong" 500.
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
Collaborator
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 090f310ec5
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
… out of CA update transaction - On renewal, store the original certificate's region in externalMetadata instead of the CA's current region, so subsequent revoke/renew keep targeting the correct region-locked ARN even if the CA was edited. - In updateCertificateAuthority, run ACM ListCertificates and Route 53 GetHostedZone before opening the DB transaction, mirroring createCertificateAuthority so slow AWS calls don't pin a pool connection.
Contributor
Author
|
@claude review once |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
ACM picks the signature algorithm server-side and has no SigningAlgorithm parameter on RequestCertificate, so the caller-supplied signatureAlgorithm was being persisted without ever matching what AWS actually signed with. Parse it from the issued cert and normalize to CertSignatureAlgorithm before writing to the DB. Drop the now-dead parameter from the ACM orderCertificateFromProfile signature.
…-pki-add-support-for-aws-trust-services-public-ca # Conflicts: # backend/package-lock.json # backend/package.json
Contributor
Author
|
@claude review once |
Uses nanoid's customAlphabet instead of manual modular sampling, matching the pattern used elsewhere in the codebase (e.g. dynamic-secret providers). Eliminates the modular bias where the first 8 alphabet characters appeared slightly more frequently than the others.
Matches the sibling fields (Route 53 Connection, Hosted Zone ID, Region) which already had the required indicator.
Explain that AWS itself attempts managed renewal 45 days before expiry, and what Infisical's own auto-renewal does in that case (skip RenewCertificate if AWS already renewed, otherwise trigger it). Swap "export" wording for plainer "save"/"pull in". Add new setup screenshots.
carlosmonastyrski
requested changes
Apr 20, 2026
- Extract Route 53 into a shared dns-providers/route53.ts reused by both ACME and ACM Public CA. Adds an optional comment field so ACME keeps its original change-history strings. The ACME delete path also now applies sha256=CustomAWSHasher and useFipsEndpoint consistently with upsert. - Move the two ACM validation error classes into a dedicated -errors.ts and rename to AcmPendingError / AcmTerminalError, since they also cover renewal and export paths beyond the original DNS-validation signal. - Replace single-character regex strips (: and -) with split/join, and wrap the AWS error-message match in RE2 to match the rest of the repo.
AWS ACM Public CA issues certificates with a fixed 198-day validity and the backend rejects any other value. When the selected CA on a certificate profile is AWS ACM Public CA, the TTL field now pre-fills to 198 and is disabled, with a tooltip explaining the fixed validity.
… connection - Rewrite the ACM Public CA overview to scope explicitly to public certificates and drop the comparison with AWS Private CA. - Expand the enrollment-method FAQ entry to explain that only API enrollment applies, because EST, SCEP, and ACME all submit a CSR and ACM generates the private key itself. - Add an AWS ACM Public CA accordion (ACM + Route 53 permissions) to both the IAM Role and IAM User sections of the AWS app connection docs so users can set up permissions alongside existing services.
Contributor
|
@claude review once, focus on the backend |
When an ACM certificate is renewed, the ARN is reused for the new certificate body and the superseded cert is no longer present at AWS. Calling RevokeCertificate on that ARN would revoke the currently-active renewed cert. When revoking a cert that has renewedByCertificateId set, skip the AWS call and let the service layer mark the DB row as REVOKED on its own — matching the pattern already used in PKI syncs for superseded certificates.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
Adds AWS ACM Public CA as a new external CA type. Issues publicly-trusted certs from Amazon Trust Services with DNS validation through Route 53. Supports issuance, auto-renewal, and revocation.
Screenshots
Steps to verify the change
Type
Checklist
type(scope): short description(scope is optional, e.g.,fix: prevent crash on syncorfix(api): handle null response).