Link Search Menu Expand Document

Certificate Manager

Certificate Manager Basics

  • 📒 HomepageUser guideFAQPricing
  • Use the Certificate Manager to manage SSL/TLS certificates in other AWS services.
  • Supports importing existing certificates as well as issuing new ones.
  • Provides Domain Validated (DV) certificates. Validation can be done in two ways. The first (and recommended) way is via DNS. If the zone lives within Route 53 and the user has access, the necessary record can be added in the console via a single click during the certificate request process. If the zone is not within Route 53 the user is required to update DNS manually. This is still preferred to the second way, which requires more user interaction, and is done by sending an email to 3 contact addresses in WHOIS and 5 common addresses for the domain, for each domain name present in the request.
  • ACM will attempt to automatically renew a certificate issued by Amazon. It will first attempt to connect to the domain on HTTPS and check that the certificate used by the domain is the same with the certificate that it intends to renew. Failing that, it will check the DNS record used previously for validation. Failing that, ACM will attempt manual validation by sending emails to all domains in the certificate.

Certificate Manager Alternatives and Lock-in

  • ⛓Certificates issued by the Certificate Manager can’t be used outside of the services that support it. Imported certificates, however, can still be used elsewhere.

Certificate Manager Tips

  • 🔹Supported services: Managed Load Balancers, CloudFront, API Gateway and Elastic Beanstalk.
  • 🔸During the domain validation process, if DNS validation is unsuccessful Certificate Manager will send an email to every contact address specified in the domain’s WHOIS record and up to five common administrative addresses. Some anti-spam filters can mark emails as spam because of this. You should check the spam folder of your email if you don’t receive a confirmation email.
  • 🔹 Setting up a certificate for a test domain you don't have email set up on? You can now use DNS validation instead.
  • 🔹Remember when requesting a wildcard domain that the request will not be valid for the level just below the wildcard, or any subdomains preceding the wildcard. Take for example an approved, issued certificate for *.bar.example.com. This would be valid for foo.bar.example.com but not bar.example.com. Likewise it would also not be valid for www.bar.foo.example.com. You would need to add each of these domains to the certificate request.

Certificate Manager Gotchas and Limitations

  • 🔸In order to use Certificate Manager for CloudFront distributions, the certificate must be issued or imported from us-east-1 (N. Virginia) region.
  • 🔸Certificates used with Elastic Load Balancers must be issued in the same region as the load balancer. Certificates can not be moved or copied between regions, as of July 2017. If a domain uses load balancers present in multiple regions, a different certificate must be requested for each region.
  • 🔸IoT has its own way of setting up certificates.
  • 🔸By default the maximum number of domains per certificate is 10. You can get this limit increased to a maximum of 100 by contacting AWS support. Note for every different domain you have on the requested cert, you'll need to press accept on an email sent to that domain. For example if you request a cert with 42 different domains or sub domains, you'll need to press accept on 42 different links.
    - 🔹If you request a limit increase to AWS support for this, they will respond to you asking to confirm this. Bypass this by saying in the body of your initial request:
    
    "I acknowledge at the moment, there is no method to add or remove a name from a certificate. Instead, you must request a new certificate with the revised namelist and you must then re-approve all of the names in the certificate, even if they'd been previously approved."
  • 🔸There is no way at the moment to add or remove a domain to/from an existing certificate. You must request a new certificate and re-approve it from each of the domains requested.