
AWS Certificate Manager: Deploy SSL/TLS-Based Apps on AWS - _alex_
https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
======
arcdigital
Just in case people haven't figured it out yet - ACM issues free wildcard
certs :)!

[http://aws.amazon.com/certificate-
manager/pricing/](http://aws.amazon.com/certificate-manager/pricing/)

[https://docs.aws.amazon.com/acm/latest/userguide/acm-
certifi...](https://docs.aws.amazon.com/acm/latest/userguide/acm-
certificate.html)

~~~
Someone1234
Dumb question: Can you extract the private certificate and use it elsewhere,
or is it held securely and only accessible via specific AWS services?

~~~
arcdigital
Yeah, currently the keys are held securely within AWS and it's only available
for use within specific AWS services - Elastic Load Balancer & CloudFront at
the moment.

~~~
sporkmonger
So basically don't use this if you care enough about security to pin your
certificates.

~~~
detaro
Why does this stop you from pinning your certificate?

~~~
kuschku
You only care about pinning when you fear that a third actor somewhere between
your server and the end client might MitM the connection with a valid
certificate.

If a third party controls your keys, certificate pinning is useless to prevent
against attacks from that third party or governmental agencies.

~~~
pfg
Most HPKP deployments pin to root or intermediate certificates of CAs (usually
2 separate CA entities, in case something happens to the primary CA) - meaning
in a typical scenario, the attack surface is approximately the same.

Not sure if this approach is common in native applications that pin to keys as
well.

------
ttcbj
Just a few days ago I spent $200 to purchase a multi-domain wildcard
certificate so that I could host multiple secure domains, with multiple
subdomains, on a single elastic beanstalk app. It was such a headache to
figure out that I needed the multi-domain wildcard cert, then to find one to
purchase for a reasonable price.

Now, 5 days later, AWS lets me create one for free in 3 minutes, with zero
hassles. I cannot select it in beanstalk yet, but I am sure that will come. I
am consistently amazed by how frequently AWS satisfies needs I barely knew (or
didn't know) I had.

~~~
dexterdog
I don't think you configure the LB in EB. Go into Load Balancers in your EC2
section and you can select the cert there. It's a quick switch.

~~~
15155
If EB decides to tear down and rebuild an ELB, it won't have the correct cert
settings.

------
ubergeek42
Can anyone think of any advantages LetsEncrypt would provide over this
offering from AWS? Or does this basically kill LetsEncrypt's usage on AWS?

The only thing I can think of is that AWS Certificate Manager only validates
by email addresses which can be problematic if you don't have MX records or
don't have control over it(Maybe a large organization where the people who do
control those email addresses won't click simple verification links)

It seems a bit inconsistent as to when it will use the email on the whois
record for the validation too. For some subdomains I try it will allow
validation using the whois address, other times it's just the common
aliases@sub.domain.com(which requires an mx record) So I guess if you're
nesting deeper than one subdomain(e.g. abc.def.example.com) then maybe it'd be
easier to get letsencrypt set up than try to get mx records for
abc.def.example.com.

Shameless Plug/Disclaimer: I had been working on a tool to make it dead simple
to use Lets-Encrypt certificates for CloudFront/ELBs and handled autorenewal
via Lambda. I'm not sure there is any use for this now that this exists
though.

[https://github.com/ubergeek42/lambda-
letsencrypt/](https://github.com/ubergeek42/lambda-letsencrypt/)

~~~
kevincox
I believe this requires the use of cloudfront or their load balancer. So if
you want to stick with minimal costs you can use letsencrypt with just an ec2
instance.

~~~
ubergeek42
That's a good point. For some reason the only thing I was thinking about was
cloudfront/elb.

------
nik736
"Even better, you can do all of this at no extra cost. SSL/TLS certificates
provisioned through AWS Certificate Manager are free!"

Great!

------
mbesto
Pricing page goes 404 :(

[http://aws.amazon.com/certificate-
manager/pricing/](http://aws.amazon.com/certificate-manager/pricing/)

~~~
falcolas
Anything too much higher than "free" is probably going to be too high once
Let's Encrypt implements DNS based validation.

Of course, it does look like they support wildcard certs, so it probably won't
be cheap.

EDIT: Removed EV reference, these are DV only.

~~~
yuvipanda
Let's encrypt turned on DNS validation a few days ago
[https://twitter.com/letsencrypt/status/689919523164721152](https://twitter.com/letsencrypt/status/689919523164721152)

~~~
falcolas
Hadn't seen that, thanks for the link!

------
ademarre
Are these certificates exclusively for ELB and CloudFront? Does anyone see a
way to download a certificate for manual installation on a server (EC2 or
otherwise)?

[https://docs.aws.amazon.com/acm/latest/userguide/setup-
websi...](https://docs.aws.amazon.com/acm/latest/userguide/setup-website.html)

> _Currently, ACM Certificates are associated with Elastic Load Balancing load
> balancers or Amazon CloudFront distributions. Although you install your
> website on an Amazon EC2 instance, you do not deploy an ACM Certificate
> there. Instead, deploy the ACM Certificate on your Elastic Load Balancing
> load balancer or on your CloudFront distribution._

Ideally ACM certificate issuance and deployment would be two separate things,
and this would be a general-purpose CA, which just happens to have integrated
deployment tools for ELB and CloudFront.

~~~
breadtk
At the time of launch only ELB and CloudFront are supported.

------
iancarroll
It looks like this is free (the pricing page isn't up yet), as I was able to
issue a certificate and not have any charges show immediately.

~~~
mangeletti
You might be right. Maybe the pricing page 404 was a silly marketing stunt?
That would be pretty clever.

BTW, it looks like there might be a lot of people flagging this post (raced to
position 1, but then quickly dropped to position 5).

I'm not opposed to people flagging things or anything, but I'm curious as to
why a post like this would be heavily flagged, if that is indeed what is
happening.

------
supersan
Wow that was super easy. I tried this on one of my sites and it really took me
like 2 minutes total to add SSL to it.

The only confusing part was that port 443 was blocked in ELB by default (which
made it look like it didn't work but got fixed easily as soon as I figured it
out). I've never seen an easier way to do this till date.

------
lukeadams
Looks like Certificate Manager is only available in the US-East region thus
far.

~~~
draven
Yep, tried to access ACM, and got "Certificate Manager is not available in EU
(Ireland). Please select another region."

They probably are going to roll out this feature everywhere.

------
michaelZejoop
Buying SSL Cert through Bluehost (my domain registered, and blog hosted) and
figuring out how to apply it my web-app, zejoop.com, hosted on AWS was far and
away the most annoying and difficult chore in my development/deployment
process as a relatively junior SW developer. If I could solve all inhouse
within AWS (at reasonable cost) is be very happy. My cert just renewed, so
until I roll change to AWS my [https://](https://) is down. If update is as
difficult for me as original install was, then I guess it will be about 18
hours of aggravation. So I'll look into this, if the OP title is a reality.

~~~
tlianza
FYI (and disclaimer I work here) CloudFlare provides SSL as a service for free
and you can host your site anywhere:
[https://www.cloudflare.com/ssl/](https://www.cloudflare.com/ssl/)

~~~
michaelZejoop
Thanks, I will investigate. Not clear though if I'll need to convert the cert
though to AWS load balancer accepted format... that was the bulk of my earlier
problem, especially handling the chain bundle. The AWS cert service, I assume,
would eliminate the conversion problem for me. Thanks... I'll check it out

~~~
michaelZejoop
problem solved

------
philip1209
This is great for microservices where managing lots of SSL certs can be a
pain.

------
cagenut
Its not immediately obvious clicking around, who's the CA?

~~~
devy
tl;dr - For now, their root CA is Starfield[0], but AWS may become a root CA
very soon.

Amazon had applied to be a Root Certificate Authority to Mozilla and Android
since June 2015 [1]. And it's been in pending for public discussion recently
[2], which is one step away from being inclusion by Mozilla[3](aka becoming a
root CA).

Once they are vetted and being included in Mozilla's Root CA program, they
will be accepted by Firefox browser and on Linux. And after vetted in Android,
it will be accepted by Google Chrome/Chromium browsers.[4]

[0] [http://i.imgur.com/s2Uijes.png](http://i.imgur.com/s2Uijes.png)

[1] [http://www.geekwire.com/2015/amazon-wants-to-be-your-ssl-
cer...](http://www.geekwire.com/2015/amazon-wants-to-be-your-ssl-certificate-
provider-applies-to-be-a-root-certifcate-authority/)

[2]
[https://mozillacaprogram.secure.force.com/CA/PendingCACertif...](https://mozillacaprogram.secure.force.com/CA/PendingCACertificateReport)

[3]
[https://wiki.mozilla.org/CA:How_to_apply#Public_discussion](https://wiki.mozilla.org/CA:How_to_apply#Public_discussion)

[4] [https://www.chromium.org/Home/chromium-security/root-ca-
poli...](https://www.chromium.org/Home/chromium-security/root-ca-policy)

~~~
arcdigital
BTW - The root certs are in the microsoft trust store now.

~~~
devy
Cool, they will be accepted as Root Cert on Windows then. Yep, Apple and
Microsoft maintains their own Root CA programs (private approval process). I
bet AWS also applied for Apple's Root CA program.

------
arcdigital
If you're trying to enable ACM on beanstalk, I made a guide on how to do it:
[https://medium.com/@arcdigital/enabling-ssl-via-aws-
certific...](https://medium.com/@arcdigital/enabling-ssl-via-aws-certificate-
manager-on-elastic-beanstalk-b953571ef4f8)

~~~
michaelZejoop
Guide is great, except my environment (which can't be renamed) is "My First
Elastic BeanStalk Application" \- this results in error on CLI "Value 'My
First Elastic BeanStalk Application' at 'environmentName' failed to satisfy
constraint: Member must have length less than or equal to 23"... stuck

~~~
michaelZejoop
I figured out my own mistakes: [1] the actual name was 'Default-Environment',
and [2] I had used the wrong zone when I set up AWS CLI using the 'aws
configure' command. Fixed both mistakes and zejoop dot com is back online with
a working SSL Cert.

------
nodesocket
This is great, but I'm willing to pay for SSL certificates that are managed
inside of AWS, just like domains are purchased and managed in Route53.

As long as AWS provides an API to provision certificates, that would be
awesome. I use Nginx, and need access to the private key and cert.

~~~
brandur
Impressively, not only is there what looks like a fairly complete API, but
it's shipped and part of their language bindings already.

Go interface (the docs haven't been updated as of yet):

[https://github.com/aws/aws-sdk-
go/blob/87b1e60a50b09e4812dee...](https://github.com/aws/aws-sdk-
go/blob/87b1e60a50b09e4812dee560b33a238f67305804/service/acm/acmiface/interface.go)

And the changelog from the Ruby project:

[https://github.com/aws/aws-sdk-
ruby/blob/8ed439546619f78263f...](https://github.com/aws/aws-sdk-
ruby/blob/8ed439546619f78263fd6755429d54cdce812133/CHANGELOG.md#2213-2016-01-21)

~~~
tjbiddle
While awesome that they have API support already; that's only half of it as
you don't get access to the private key.

Still incredibly exciting and a great feature for Amazon solutions!

------
ajsharp
Sucks to be in the cert market today. This is great news for everyone else
though!

------
dankohn1
This is fantastic news. Now, let's see Heroku use either this or Let's Encrypt
and eliminate their onerous $20 per host SSL fee, which is making the Internet
less secure.

~~~
colinbartlett
This would be huge. Heroku's high monthly SSL cost is a big reason I've moved
dozens of smaller apps and sites to Digital Ocean. As I moved to using SSL
everywhere I realized Heroku's costs were not sustainable for random side
projects and static sites.

------
kujjwal
Currently It's Only supported in US East (N. Virginia). Is there any way I can
use it for apps deployed in different geographical location?

------
jsnk
Given that Let's Encrypt is free, is there any reason why someone would use
paid service for SSL certificates?

~~~
eknkc
I recently needed a cert and got one from letsencrypt. Haven't read about them
or followed all the news. I have no idea about the architecture of Let's
Encrypt. So these might sound stupid;

\- Why do we need a local client app to issue certificates? Is there a web
interface in development? Is there a technical reason for it to work this way?

\- Why does it issue 3 month certs? Beta period? (This is reason enough to pay
btw, If I did not screw something up to end up with short term certs)

~~~
TazeTSchnitzel
> Why do we need a local client app to issue certificates?

So it can verify domain ownership automatically.

> Why does it issue 3 month certs?

Because it verifies domain ownership automatically.

~~~
serge2k
Well, that and they didn't do DNS based validation first. I guess they have
that now.

------
derFunk
How will Amazon's new root certificate be spread to all browsers and mobile
devices, so it's made sure that it will be trusted on every possible endpoint?
Is the root certificate cross signed with another, already trusted cert?

~~~
dchest
Amazon bought one of the Starfield roots from GoDaddy. See their roots here:
[https://www.amazontrust.com/repository/](https://www.amazontrust.com/repository/)

~~~
derFunk
Thanks, but funny: Not all test URLs are working on my Marshmallow Android.
Only the "valid" tagged "Amazon Root CA 1" is accepted by my mobile Chrome,
not so the others. Also the revoked Starfield test url is still being accepted
by my browser.

------
fragsworth
It's about time.

~~~
twothamendment
It is past time. Where was this last month? We just started using Let's
Encrypt to get certs onto ELBs. With a few mods to stuff on github we can
easily generate certs for multiple domains (up to the 100 domain limit) and
put them on the ELB.

I'm glad they are getting into this, competition is always good. With the
pricing page giving a 404 I can only guess that it will cost more than Let's
Encrypt, but if you haven't already rolled your own, it might be a nice
option.

~~~
marktangotango
Dumb question; I'm not an aws user, but I thought with ELBs you did ssl
termination at the load balancer, then unencrypted to downstream servers? But
you seem to indicate you have ssl between elb's and downstream? Is that
correct?

~~~
twothamendment
Not a bad question. You are correct, the ELBs are doing ssl termination, but
the way I'm using Let's Encrypt and a 3rd party python script means that each
web server needs to be able to answer the challenge on port 80. For web server
without a LB, that means you just run the script and it generates the file
that needs served up on 80.

With more than one web server you need to be able to server that file up on
any instance that might get hit when the challenge request comes in.

For some, DNS might be an easier way to prove domain ownership, but we have
clients who control their DNS. Doing it all on the web means it is 100% in our
hands.

------
base
Wrong title. This is a Certificate Manager.

~~~
dang
We changed the title from "AWS is now issuing SSL certificates".

~~~
_alex_
Why? AWS is issuing certificates. They happen to be doing that through their
new Certificate Manager service, but the more interesting news is that AWS is
issuing publicly trusted certs.

~~~
dang
It's a moot point now, because the announcement post (which we changed the URL
to) has a different title. But the answer to your question is that we don't
always have a magic title accuracy detector—though HN readers come close.

~~~
dsp1234
Thanks for updating it!

------
jwaldrip
Implemented and deployed! Now just need Terraform support to bring it full
circle.

------
JosephHatfield
If you use the AWS Simple Monthly Calculator, it shows a $600 a month charge
for one dedicated IP/SSL certificate on Cloudfront. Is this not the same thing
as the new free certificate?

------
ajeet_dhaliwal
Wow, this is awesome for my needs.

------
dang
Url changed from [https://docs.aws.amazon.com/acm/latest/userguide/acm-
overvie...](https://docs.aws.amazon.com/acm/latest/userguide/acm-
overview.html), which seems to be the main announcement.

------
baby
You mean TLS certificates.

~~~
hueving
Oh shit, how will people ever know what the article is referring to?

~~~
peterhadlaw
Your sobriety humbles me.

