Create the required certificates
You can create a CA cert through Amazon's private CA authority which is chargeable by Amazon or by setting up a private CA authority and creating a CA certificate, at no cost.
To use an Amazon private CA resource, refer to AWS documentation here:
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
To create a CA certificate for free by setting up a private CA authority and creating a CA certificate, see:
https://docs.aws.amazon.com/rolesanywhere/latest/userguide/getting-started.html
Use the root CA certificate file to create a Trust Anchor in AWS.
Use the self signed CA certificate file and the private key created from the root CA certificate in NetBackup for authentication.
For AWS certificate specifications, see:
https://docs.aws.amazon.com/rolesanywhere/latest/userguide/trust-model.html
To authenticate a request for credentials, IAM Roles Anywhere validates the incoming signature by using the signature validation algorithm required by the key type of the certificate, for example RSA or ECDSA. After validating the signature, IAM Roles Anywhere checks that the certificate was issued by a certificate authority configured as a trust anchor in the account using algorithms defined by public key infrastructure X.509 (PKIX) standards.
End entity certificates must satisfy the following constraints to be used for authentication:
The certificates MUST be X.509v3.
Basic constraints MUST include CA: false.
The key usage MUST include Digital Signature.
The signing algorithm MUST include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.
Certificates used as trust anchors must satisfy the same requirements for the signature algorithm, but with the following differences:
The key usage must include Certificate Sign, and may include CRL Sign. Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere.
Basic constraints MUST include CA: true.