Overview

In this project, I designed and implemented a cloud-native Private Public Key Infrastructure (PKI) using AWS Certificate Manager (ACM) and AWS Private Certificate Authority (Private CA) to securely manage TLS certificates for internal AWS workloads.

Traditional PKI solutions often require complex manual configuration, offline root key management, and operational overhead for certificate issuance, renewal, and revocation. The goal of this project was to explore how AWS’s managed services can simplify PKI operations while maintaining strong security controls and best-practice trust hierarchies.

The architecture followed a standard enterprise PKI model:

1. A Root Certificate Authority (CA) acting as the ultimate trust anchor.

2. An Intermediate (Subordinate) CA used to issue end-entity certificates.

3. End-entity certificates deployed to AWS services such as Application Load Balancers and EC2 instances.

4. This separation ensured that the Root CA remained isolated, minimizing exposure while allowing operational flexibility through the Intermediate CA.

5. Using ACM, I automated certificate provisioning and lifecycle management, eliminating the need for manual OpenSSL workflows. Certificates were issued directly from the Intermediate CA and deployed to AWS resources with minimal configuration effort.

6. The certificates were then used to:

• Terminate TLS on an Application Load Balancer

• Enforce HTTPS-only access

• Secure internal DNS resolution through Route 53

7. The project emphasized encryption in transit, trust hierarchy design, and certificate governance, all critical components of modern cloud security engineering.

Key Technical Objectives

• Implement a secure PKI trust hierarchy using AWS-managed services

• Automate certificate issuance and renewal

• Enforce TLS encryption for internal AWS services

• Reduce operational risk associated with manual PKI handling

• Apply PKI best practices in a cloud-native environment

Outcomes and Impact

1. Improved Security Posture

By implementing a proper Root → Intermediate → End-Entity trust chain, the PKI design reduced the blast radius of any potential key compromise and aligned with enterprise PKI security standards.

2. Automated Certificate Lifecycle Management

AWS Certificate Manager handled certificate provisioning and renewal automatically, eliminating common risks such as expired certificates and manual configuration errors.

3. Enforced Encryption in Transit

All application traffic was secured using HTTPS with TLS termination at the Application Load Balancer, ensuring confidentiality and integrity of internal communications.

4. Reduced Operational Complexity

The project demonstrated how AWS-managed PKI significantly simplifies certificate operations compared to traditional on-prem or self-hosted PKI solutions.

5. Practical Cloud Security Experience. This project provided hands-on experience in:

• PKI architecture and trust modeling

• Certificate Authority management

• TLS deployment in cloud environments

• Secure application traffic routing

• Cloud-native cryptographic governance

Business and Engineering Value

From a security engineering perspective, this approach:

• Standardizes certificate management

• Prevents certificate expiration outages

• Improves auditability and compliance readiness

• Enables scalable certificate deployment across multi-service environments

Conclusion

This project demonstrates how AWS Certificate Manager and AWS Private CA can be effectively used to build a secure, scalable, and operationally efficient PKI solution in the cloud. It highlights the importance of proper trust hierarchy design, automation, and encryption enforcement in modern cloud security architectures.

The implementation serves as a strong foundation for future enhancements such as:

• Cross-account CA sharing

• IAM-based CA access controls

• Certificate revocation strategies

• Integration with containerized workloads and service meshes