Search code examples
amazon-web-servicesssl-certificateaws-certificate-manager

SSL Certificate with AWS Certificate Manager?

I am new on terms of every aspect of SSL certificate.

I have a architecture, where Route53 routes traffic to Load balance. We are moving to production and we have to implement SSL certification to handle https traffic.

Where should i position the certificate in the architecture?

While searching i sow AWS Certificate Manager. I am wondering how is it different ?

And when i buy a certificate can i use a single certificate with different account? (Example: can i have same certificate set up for Staging and multiple production environment)

Solution

  • You can use the ACM to generate certifications for you.

    It's totally free, if it's a public certificate, and will automatically renew when it expires.

    But some security teams will require you to upload a more advanced certificate than ACM generates for you, in this case, you can buy the certificate and upload it in the ACM service. Keep in mind that it won't renew automatically and when it expires you will have to upload a new certificate.

    Where should I position the certificate in the architecture?

    • It depends on your security requirements, but it's totally fine to create an HTTPS commutation between Client and Load Balancer, and an HTTP communication between Load Balancer and Server. In this case, you will only need a public certificate generated by ACM. If your security requirements need to create a secure communication end-to-end (e.g. HTTPS communication between LoadBalancer and Server), you will need to install the same private certificate in all servers and upload your private certificate in ACM.

    While searching I sow AWS Certificate Manager. I am wondering how is it different ?

    • The only difference is that you don't need no buy a certificate if you only use in Load Balancers / API Gateway, etc but if you want to download the certificate to install in your on-premise Load Balancer or in the servers, you will have to pay $400 for each certificate.

    And when I buy a certificate can I use a single certificate with a different account? (Example: can I have the same certificate set up for Staging and multiple production environments)

    • Yes, you can. But keep in mind that you will need to create a wildcard certificate to support multiple DNS names.