All About AWS Certificate Manager-ACM
Setup SSL/TLS certificates using AWS ACM
Here comes the good news, AWS has recently launched Certificate Manager (ACM) service designed to protect and manage the private keys used with SSL/TLS certificates for free.
SSL and TLS, are industry-standard protocols for encrypting network communications. They provide encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of a site and establish secured connection between browsers and applications.
In general it’s a time-consuming manual process to purchase, upload and renew those certificates. AWS Certificate Manager simplifies this complex process of generating, uploading and renewing certificates. And this is achieved thru a simple click process, no need to generate a certificate signing request (CSR), submit a CSR to a Certificate Authority, or upload and install the certificate once received. AWS Certificate Manager takes care of deploying certificates, and handles all certificate renewals. Amazingly this service is absolutely free, you just need to pay for underlying infrastructure.
ACM Certificates are domain validated. That is, the subject field of an ACM Certificate identifies a domain name and nothing more. Email is sent to the registered owner for each domain name in the request.
Easy steps to setup secured web application using ACM generated certificates are given below:
1. Get a domain name for your web application.
2. You need to configure a Load Balancer for your application running on AWS instance. At present ACM cetificates can only be used with Elastic Load Balancer OR CloudFront.
3. Configure a Route53 Hosted zone for your domain. By default you get NS and SOA type recordset, you need to add one more canonical name type. Provide your Load Balancer’s DNS Name as Value.
4. If you have procured domain name from somewhere outside AWS, you need to link route53 namespaces in your domain settings.
For example if you have taken domain from godaddy, navigate to domain settings->name servers->manage, select setup type as custom and add nameserver values (record set type NS). Note: it may take few hours to make nameserver links effective after you add in your domain settings.
5. Once domain configuration is complete, you can login to ACM service and Request a Certificate. On request submission a mail is sent to the registered owner for each domain name in the request. The domain owner or an authorized representative can approve the certificate request by following the instructions in the email. Status of certificate changes to Issued after completing instructions which indicates that certificate is ready to be linked with ELB for CloudFront.
6. You can link issued certificate under Listeners tab of load balancer. Select “an existing certificate from AWS Certificate Manager (ACM)”, all issued certificates will be available to be linked with load balancer.
Other important facts about the ACM service:
• It provides automatic renewal which help you avoid downtime due to misconfigured, revoked, or expired certificates.
• ACM Certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. ACM Certificates are trusted by Java.
• ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, *.vikrant.com protects www.vikrant.com and images.vikrant.com.
• ACM supports the RSA-2048 encryption and SHA-256 hashing algorithms.
Though ACM has few limitations like currently ACM certificates can be used only with Elastic Load Balancer OR CloudFront and you cannot use ACM Certificates outside of AWS, still its extremely handy for startups and developers to secure their web applications for no extra cost without relying on system admins.
Note: Currently ACM service is only available in N Virginia Region.