BrainyBeeBrainyBee
Study Guide895 words

Study Guide: Generating Certificates and SSH Keys for Development

Generate certificates and SSH keys for development purposes

Study Guide: Generating Certificates and SSH Keys for Development

This guide covers the essential skills for generating and managing cryptographic keys and certificates required for secure development workflows on AWS, specifically aligned with the DVA-C02 Exam Objectives (Skill 2.2.5).

Learning Objectives

After studying this guide, you should be able to:

  • Generate SSH public-private key pairs using ssh-keygen on Windows and macOS.
  • Secure key pairs using passphrases and proper directory management.
  • Upload SSH public keys to AWS IAM for services like AWS CodeCommit.
  • Understand the role of X.509 certificates in development environments.
  • Differentiate between encryption at rest and in transit in the context of development tools.

Key Terms & Glossary

TermDefinitionReal-World Example
SSH Key PairA set of two cryptographic keys: a public key for encryption/identification and a private key for decryption/authentication.Using a key to push code to a Git repository without typing a password every time.
Public Key (.pub)The key shared with external services (like AWS or GitHub) to identify the user.The "lock" that you place on the AWS server; only your private key can open it.
Private KeyThe secret key kept on the developer's local machine; it must never be shared.The physical "house key" you keep in your pocket to enter your home.
PassphraseAn optional password used to encrypt the private key file on disk.Even if someone steals your laptop, they cannot use your SSH key without the passphrase.
X.509 CertificateA digital document used to prove the ownership of a public key, often used for TLS.A development SSL certificate used to test HTTPS locally on an Express.js server.

The "Big Idea"

In modern cloud development, identity is not just about usernames and passwords. Cryptographic identity (via SSH keys and Certificates) provides a more secure, automated way for developers to interact with cloud resources. Whether you are pushing code to CodeCommit or setting up a secure tunnel to an EC2 instance, mastering the generation and lifecycle of these secrets is a foundational security requirement for any AWS Developer.

Formula / Concept Box

Essential Commands

CommandPurposeDefault Output
ssh-keygenGenerates a new SSH key pairid_rsa and id_rsa.pub
cat ~/.ssh/id_rsa.pubDisplays the public key contentA string starting with ssh-rsa...
cd ~/.sshNavigates to the default key directoryN/A

[!IMPORTANT] Always store keys in the default directory (~/.ssh or C:\Users\<user>\.ssh) to ensure development tools can find them automatically.

Hierarchical Outline

  • I. SSH Key Generation
    • A. Windows Environment
      • Ensure OpenSSH Client is installed (Settings > Optional Features).
      • Use cmd or PowerShell to run ssh-keygen.
    • B. macOS/Linux Environment
      • Open Terminal.
      • Navigate to ~/.ssh and run ssh-keygen.
  • II. Securing the Keys
    • A. Passphrases: Adding a layer of security to the private key file.
    • B. File Permissions: Ensuring only the owner can read the private key.
  • III. AWS Integration
    • A. IAM Console: Navigating to "Security Credentials."
    • B. CodeCommit: Uploading the .pub content to enable SSH-based Git operations.
  • IV. Certificates for Dev
    • A. Self-Signed: Quick generation for local testing.
    • B. AWS Private CA: Managed service for internal organizational certificates.

Visual Anchors

SSH Key Exchange Flow

Loading Diagram...

The Mathematical Relationship (Simplified)

\begin{tikzpicture}[node distance=2cm] \draw[thick, blue] (0,0) circle (1cm) node[below=1.2cm] {Public Key (Lock)}; \draw[thick, red] (4,0) rectangle (5,0.5) node[midway] {Key}; \draw[thick, red] (4,0.25) -- (3.5,0.25) node[left] {Private}; \draw[->, >=stealth, thick] (1.1,0) -- (3.4,0) node[midway, above] {Mathematically Linked}; \node[draw, dashed, inner sep=10pt] at (2.25,-1.5) {Data encrypted by Public can ONLY be decrypted by Private}; \end{tikzpicture}

Definition-Example Pairs

  • SSH-Keygen: The standard command-line utility used to create key pairs.
    • Example: Running ssh-keygen -t ed25519 -C "work-email" to create a high-security modern key.
  • Certificate Signing Request (CSR): A message sent to a certificate authority to apply for a digital identity certificate.
    • Example: Generating a CSR on a local web server to get a certificate from AWS Private CA for a staging environment.
  • Identity Provider (IdP): A system that creates, maintains, and manages identity information.
    • Example: Using Amazon Cognito to manage user logins, which may involve underlying certificate management for tokens.

Worked Examples

Example 1: Generating and Viewing an SSH Key (macOS)

  1. Open Terminal and check for existing keys: ls -al ~/.ssh.
  2. Generate: Type ssh-keygen and press Enter.
  3. Save Location: Press Enter to accept the default (/Users/dev/.ssh/id_rsa).
  4. Passphrase: Type a secure phrase (e.g., correct-horse-battery-staple).
  5. Retrieve: Run cat ~/.ssh/id_rsa.pub to see the text to be copied to AWS.

Example 2: Configuring AWS CodeCommit SSH Access

  1. Copy: Copy the string from id_rsa.pub (starts with ssh-rsa).
  2. Console: Go to the IAM Console > Users > [Your User].
  3. Credentials: Click the Security Credentials tab.
  4. Upload: Find "SSH public keys for AWS CodeCommit" and click Upload SSH public key.
  5. Paste: Paste the code and save. AWS will provide an SSH Key ID which you use in your SSH config file.

Checkpoint Questions

  1. Which file should you never share or upload to a public repository: id_rsa or id_rsa.pub?
  2. What is the default directory for SSH keys on a Windows 10/11 machine?
  3. True or False: Adding a passphrase to your SSH key makes it take longer to encrypt data during a transmission.
  4. Which AWS service is best suited for managing a private hierarchy of certificates for internal microservices?
  5. If you receive a "Permission Denied (publickey)" error when connecting to CodeCommit, what is the first configuration you should check in IAM?
Click to see answers
  1. id_rsa (The Private Key).
  2. C:\Users\[YourUser]\.ssh.
  3. False. The passphrase only encrypts the key while it's sitting on your hard drive; it does not change the speed of the SSH tunnel itself.
  4. AWS Private CA.
  5. Ensure the SSH Public Key is uploaded to the correct IAM user and that the SSH Key ID matches your local configuration.
All AWS Certified Developer - Associate (DVA-C02) Study Resources

Ready to study AWS Certified Developer - Associate (DVA-C02)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free