To create the AWS ACM Certificate Authority CSR, do the following:

  1. Navigate to console.aws.amazon.com and login with your credentials.
  2. From within the AWS Console, select Services and then under Security, Identity, & Compliance, select Certificate Manager.

  3. Click Get started. 
  4. Ensure that Subordinate CA is selected and then click Next. 
  5. Enter values for Organization (O), Organization Unit (OU), Country Name (C), State or province name, Locality name and Common Name (CN), and then click Next. 
  6. Ensure RSA 2048 is selected. If any other algorithm is selected (such as ECC), ensure the keys and certificate authority created earlier match. 
  7. If CRL is desired to be populated to an S3 bucket, select Enable CRL distribution and configure the S3 bucket name.
  8. Confirm to their license agreement for the CA charges and then click Confirm and create.
  9. Click Get Started  on the success confirmation screen.
  10. Export the CSR to a file using the blue link at the bottom of the page. This is the file that we bring over to EJBCA to be signed. Click Next.