AWS Certificate Manager

Home » AWS Cheat Sheets » AWS Security & Identity Services » AWS Certificate Manager

AWS Certificate Manager

Last updated on February 19, 2024

AWS Certificate Manager Cheat Sheet

  • A service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks.
  • ACM is integrated with the following services:
  • AWS Certificate Manager manages the renewal process for the certificates managed in ACM and used with ACM-integrated services.
  • You can import your own certificates into ACM, however, you have to renew these yourself.
Tutorials dojo strip

Concepts

    • ACM Certificate are X.509 version 3 certificates. Each is valid for 13 months.
    • When you request an ACM certificate, you must validate that you own or control all of the domains that you specify in your request.
    • Each ACM Certificate must include at least one fully qualified domain name (FQDN). You can add additional names if you want to.
    • You can create an ACM Certificate containing a wildcard name (*.example.com) that can protect several sites in the same domain (subdomains).
    • You cannot download the private key for an ACM Certificate.
    • The first time you request or import a certificate in an AWS region, ACM creates an AWS-managed customer master key (CMK) in AWS KMS with the alias aws/acm. This CMK is unique in each AWS account and each AWS region. ACM uses this CMK to encrypt the certificate’s private key.
    • You cannot add or remove domain names from an existing ACM Certificate. Instead you must request a new certificate with the revised list of domain names.
    • You cannot delete an ACM Certificate that is being used by another AWS service. To delete a certificate that is in use, you must first remove the certificate association.
    • Applications and browsers trust public certificates automatically by default, whereas an administrator must explicitly configure applications to trust private certificates.

Types of Certificates For Use With ACM

    • Public certificates 
      • ACM manages the renewal and deployment of public certificates used with ACM-integrated services.
      • You cannot install public ACM certificates directly on your website or application, only for integrated services.
    • Private certificates
      • ACM Private CA provides three ways to create and manage private certificates. 1) You can choose to delegate private certificate management to ACM. When used in this way, ACM can automatically renew and deploy private certificates used with ACM-integrated services. 2) You can export private certificates from ACM and use them with EC2 instances, containers, on-premises servers, and IoT devices. ACM Private CA automatically renews these certificates and sends an Amazon CloudWatch notification when the renewal is completed. You can write client-side code to download renewed certificates and private keys and deploy them with your application. 3) ACM Private CA gives you the flexibility to create your own private keys, generate a certificate signing request (CSR), issue private certificates from your ACM Private CA, and manage the keys and certificates yourself. You are responsible for renewing and deploying these private certificates.
    • Imported certificates
      • If you want to use a third-party certificate with ACM integrated services, you may import it into ACM using the AWS Management Console, AWS CLI, or ACM APIs. ACM does not manage the renewal process for imported certificates. You are responsible for monitoring the expiration date of your imported certificates and for renewing them before they expire. You can use the AWS Management Console to monitor the expiration dates of imported certificates and import a new third-party certificate to replace an expiring one.
    • CA certificates
      • ACM private CA can issue certificates to identify private certificate authorities. These certificates allow CA administrators to create a private CA hierarchy, which provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain.

ACM Private Certificate Authority

    • ACM PCA allows you to create a private certificate authority (CA) and then use ACM to issue private certificates.
    • With ACM Private CA, you can create complete CA hierarchies, including root and subordinate CAs. A CA hierarchy provides strong security and restrictive access controls for the most-trusted root CA at the top of the trust chain, while allowing more permissive access and bulk certificate issuance for subordinate CAs lower in the chain.
    • A private CA handles the issuance, validation, and revocation of private certificates within a private network. It is comprised of two major components: The first is the CA certificate, a cryptographic building block upon which certificates can be issued. The second is a set of run-time services for maintaining revocation information through the Certificate Revocation List (CRL).
    • Benefits of a Private CA
      • Create certificates with any subject name you want.
      • Create certificates with any expiration date you want.
      • Use any supported private key algorithm and key length.
      • Use any supported signing algorithm.
      • Configure certificates in bulk using templates.
    • Automatic renewal is not available for ACM Private CA certificates for which ACM does not create the private key and certificate signing request (CSR).
    • You cannot copy private CAs between Regions. To use private CAs in more than one Region, you must create your CAs in those Regions.

Domain Verification for Certificates

    • Before the Amazon certificate authority can issue a certificate for your site, AWS Certificate Manager must verify that you own or control all of the domain names that you specified in your request. You can choose either email validation or DNS validation when you request a certificate.
    • For DNS validation, ACM uses CNAME (Canonical Name) records to validate that you own or control a domain.
    • In the DNS validation console page, ACM will provide you a CNAME record that you must add to your DNS database, whether it be Route 53 or other hosts.
    • For email validation, ACM sends email to the 3 contact addresses listed in WHOIS and to 5 common system addresses for each domain that you specify. To validate it, one of the recipients must click on the approval link.

AWS Certificate Manager Pricing

    • There is no additional charge for provisioning public or private SSL/TLS certificates you use with ACM-integrated services, such as Elastic Load Balancing and API Gateway.
    • You are billed for each active ACM Private CA per month pro-rated
    • For private certificates, ACM Private CA allows you to pay monthly for the service and certificates you create. You pay less per certificate as you create more private certificates.

Note: If you are studying for the AWS Certified Security Specialty exam, we highly recommend that you take our AWS Certified Security – Specialty Practice Exams and read our Security Specialty exam study guide.

AWS Certified Security - Specialty Exam Study Path

Validate Your Knowledge

Question 1

A website is hosted in an Auto Scaling group of EC2 instances behind an Application Load Balancer in US West (N. California) region. There is a new requirement to place a CloudFront distribution in front of the load balancer to improve the site’s latency and lower the load on the origin servers. The Security Engineer must implement HTTPS communication from the client to CloudFront and then from CloudFront to the load balancer. A custom domain name must be used for your distribution and the SSL/TLS certificate should be generated from AWS Certificate Manager (ACM).

How many certificates should be generated by the Engineer in this scenario?

  1. Generate one certificate in the US West (N. California) region and one in the US East (Virginia) region.
  2. Generate two certificates in the US West (N. California) region.
  3. Generate one certificate in the US West (N. California) region.
  4. Generate one certificate in the US West (N. California) region and use the CloudFront default certificate in the US East (Virginia) region.

Correct Answer: 1

CloudFront assigns a default domain name to your distribution, for example, d111111abcdef8.cloudfront.net. If you use this domain name, then you can use the CloudFront default SSL/TLS certificate already selected for your distribution. If you use a different domain name for your distribution, it’s a best practice to do one of the following to avoid domain name-related certificate warnings:

– Request a public certificate from the AWS Certificate Manager.

– Import certificates into AWS Certificate Manager.

To use an ACM certificate with Amazon CloudFront, you must request or import the certificate in the US East (N. Virginia) region. ACM certificates in this region that are associated with a CloudFront distribution are distributed to all the geographic locations configured for that distribution.

AWS Exam Readiness Courses

If you want to require HTTPS between viewers and CloudFront, you must change the AWS region to US East (N. Virginia) in the AWS Certificate Manager console before you request or import a certificate. If you want to require HTTPS between CloudFront and your origin and you’re using an ELB load balancer as your origin, you can request or import a certificate in any region.

Hence, the correct answer is: Generate one certificate in the US West (N. California) region and one in the US East (Virginia) region. 

The option that says: Generate two certificates in the US West (N. California) region is incorrect because you only need 1 certification in US West (Oregon) region for your CloudFront and your origin (ELB) HTTPS connection. The second one should be a certificate in the US East (Virginia) region to handle HTTPS between your Viewers and CloudFront distribution.

The option that says: Generate one certificate in the US West (N. California) region is incorrect because a single certificate is not enough. You can’t use a certificate generated from US West for your CloudFront distribution. You have to generate and use another one in the US East (Virginia) region.

The option that says: Generate one certificate in the US West (N. California) region and use the CloudFront default certificate in the US East (Virginia) region is incorrect because the scenario clearly says that you have to use a custom domain name for your distribution, and not the default one. Hence, you have to use a certificate generated from, or imported to, ACM.

References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
https://aws.amazon.com/certificate-manager/faqs/?nc=sn&loc=5
https://aws.amazon.com/premiumsupport/knowledge-center/install-ssl-cloudfront/

SNI Custom SSL vs Dedicated IP Custom SSL:
https://tutorialsdojo.com/sni-custom-ssl-vs-dedicated-ip-custom-ssl/

Note: This question was extracted from our AWS Certified Security Specialty Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

 

AWS Certificate Manager Cheat Sheet References:

https://aws.amazon.com/certificate-manager/
https://aws.amazon.com/certificate-manager/faqs/
https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?