Reputation: 2181
SSL Certificate with AWS Certificate Manager?
I am new on terms of every aspect of SSL certificate.
I have a architecture, where Route53 routes traffic to Load balance. We are moving to production and we have to implement SSL certification to handle https traffic.
Where should i position the certificate in the architecture?
While searching i sow AWS Certificate Manager. I am wondering how is it different ?
And when i buy a certificate can i use a single certificate with different account? (Example: can i have same certificate set up for Staging and multiple production environment)
Upvotes: 0
Views: 2109
Answers (2)
Reputation: 1124
You can use the ACM to generate certifications for you.
It's totally free, if it's a public certificate, and will automatically renew when it expires.
But some security teams will require you to upload a more advanced certificate than ACM generates for you, in this case, you can buy the certificate and upload it in the ACM service. Keep in mind that it won't renew automatically and when it expires you will have to upload a new certificate.
Where should I position the certificate in the architecture?
- It depends on your security requirements, but it's totally fine to create an HTTPS commutation between Client and Load Balancer, and an HTTP communication between Load Balancer and Server. In this case, you will only need a public certificate generated by ACM. If your security requirements need to create a secure communication end-to-end (e.g. HTTPS communication between LoadBalancer and Server), you will need to install the same private certificate in all servers and upload your private certificate in ACM.
While searching I sow AWS Certificate Manager. I am wondering how is it different ?
- The only difference is that you don't need no buy a certificate if you only use in Load Balancers / API Gateway, etc but if you want to download the certificate to install in your on-premise Load Balancer or in the servers, you will have to pay $400 for each certificate.
And when I buy a certificate can I use a single certificate with a different account? (Example: can I have the same certificate set up for Staging and multiple production environments)
- Yes, you can. But keep in mind that you will need to create a wildcard certificate to support multiple DNS names.
Upvotes: 1
Reputation: 35146
The preferred service to use is AWS ACM.
You can either upload your own certificate (i.e. purchase it then upload) or have AWS generate and manage it for you.
If you let ACM manage and generate it will regenerate ahead of its expiry and handle the rotation on each attached resource.
It is important to note that an ACM certificate can only be bound to the following resources for HTTP traffic:
Once it is connected to these you can use SSL offloading (the TLS connection is terminated at the resource rather than the instance) to connecting to the backend resources over plain HTTP.
You should be aware that if you want to serve traffic directly from an EC2 you will not be able to use ACM public CA and instead would limited to one of the following:
- Buy certificate and deploy to all servers
- Use a service like certbot on each server
In addition you can use certificates that are hosted in IAM but this is considered legacy with less features than ACM.
Upvotes: 1
Related Questions
- How do I know if I am using AWS Certificate Manager correctly?
- AWS Certificate Manager "In use" status "No"
- AWS Install SSL Certificate from Certificate Manager on EC2
- How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service
- Need help in setting the SSL in AWS
- AWS certificate manager https configuration for domain
- SSL Certificate + EC2
- ssl certificate for aws
- AWS security certificate
- Applying SSL Certificates using AWS / EC2