How do I get client certificate from ACM?

Question

I have a network load balancer which has my mqtt instance as target.I have hosted mqtt server on my instance and I have a python script which sends traffic to my mqtt instance via network load balancer. It currently works on TCP. Now I want to make the connection secure between network load balancer and my client so I have added a listener which listens on port 8883 and I have attached acm certificates on it. Now my issue is how do I get client certificate which I will add to my python script? Any help would be appreciated.

Answer 1

If you generate a certificate via the public ACM CA you are not able to export the certificate, you will only be able to associate it with managed AWS resources such as elastic load balancers, CloudFront, VPNs and API Gateway.

If you want to be able to control the physical certificate your choices are limited to the below:

• AWS ACM Private CA, this is an extended part of the ACM service but can be expensive.
• A free SSL signing service such as certbot, these will need to be rotated more frequently than your standard CA.
• Purchase an SSL through a trusted certificate authority

Answer 2

Now my issue is how do I get client certificate which I will add to my python script?

You can't export your certificate out of ACM. If you require to have control of a private key from your SSL cert, you need to get it from a third party, not from ACM.

ACM certs can only be used on load balancer, API gateway and CloudFront distro. If you want to use SSL cert somewhere else, you must get it from a third party. A popular choice is https://letsencrypt.org/.