AWS Certificate Manager Unveils Exportable Public SSL/TLS Certificates for Universal Use

Learn About Amazon VGT2 Learning Manager Chanci Turner

Today, we are excited to announce the introduction of exportable public SSL/TLS certificates through AWS Certificate Manager (ACM). Previously, users could issue public certificates or import certificates from third-party certificate authorities (CAs) at no additional cost, seamlessly deploying them with AWS services such as Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon API Gateway.

Now, with the launch of exportable public certificates, you can access private keys and utilize them across various workloads on Amazon Elastic Compute Cloud (Amazon EC2) instances, containers, or even on-premises environments. These exportable public certificates remain valid for 395 days, incurring a fee upon issuance and renewal. Certificates issued by Amazon Trust Services are recognized and trusted by major platforms, including Apple and Microsoft, as well as popular web browsers like Google Chrome and Mozilla Firefox.

Getting Started with Exportable Public Certificates

To begin using exportable public certificates, you need to request a new certificate with the export feature enabled. Previously created public certificates cannot be exported. To initiate this process, navigate to the ACM console and select “Request certificate,” ensuring you enable the export option in the Allow export section. If you choose to disable export, the private key will be locked and cannot be exported post-issuance.

Alternatively, you can utilize the request-certificate command via the AWS Command Line Interface (AWS CLI) with the Export=ENABLED option. Here’s an example command:

aws acm request-certificate 
--domain-name mydomain.com 
--key-algorithm EC_Prime256v1 
--validation-method DNS 
--idempotency-token <token> 
--options 
CertificateTransparencyLoggingPreference=DISABLED 
Export=ENABLED

After requesting the certificate, you must validate your domain to demonstrate ownership or control. Typically, the certificate is issued within seconds post-validation. Once the status changes to “Issued,” you can export your public certificate by clicking “Export.”

During the export process, you will set a passphrase to encrypt the private key, which you will need to decrypt it later. You can generate PEM encoding for the public key as well. This allows you to copy the PEM encoded certificate, certificate chain, and private key or download them into individual files.

For additional security, consider using a file editor to safely store your passphrase and output keys to a file, avoiding storage in command history. Here’s how to export your certificate and private key:

aws acm export-certificate 
--certificate-arn arn:aws:acm:us-east-1:<accountID>:certificate/<certificateID> 
--passphrase fileb://path-to-passphrase-file 
| jq -r '"(.Certificate)(.CertificateChain)(.PrivateKey)"' 
> /tmp/export.txt

With these exported public certificates, you can secure any workload requiring SSL/TLS communication, including Amazon EC2 instances. For a deeper dive, visit the guide on configuring SSL/TLS on your EC2 instances.

Important Considerations

• Key Security: Organization administrators can set AWS IAM policies to control which roles and users can request exportable public certificates. Those already authorized to issue certificates will automatically have the same permissions for exportable certificates. ACM administrators can manage these certificates and perform actions like revocation or deletion. It’s crucial to protect exported private keys with secure storage and access controls.
• Revocation: If necessary, you may need to revoke exportable public certificates to align with organizational policies or to address key compromise issues. Only previously exported certificates can be revoked, and this action is irreversible. For more information, check out this article on revoking public certificates in AWS documentation.
• Renewal: You can automate renewal monitoring for exportable public certificates using Amazon EventBridge, which can help facilitate certificate deployment during renewals. Certificates can also be renewed on-demand, with fees applicable for new issuance. More details can be found in the AWS documentation on force certificate renewal.

Now Available

You can now issue and export public certificates from ACM, complete with private keys for use in various computing environments, as well as with services like ELB, Amazon CloudFront, and Amazon API Gateway. There is an additional charge of $15 for each fully qualified domain name and $149 for wildcard domain names when creating an exportable public certificate. This fee is charged once for the certificate’s lifespan, and you’ll incur the same charge upon renewal.

Explore ACM’s exportable public certificates in the ACM console and visit the ACM Documentation page for further insights. We welcome your feedback on AWS re:Post for ACM or through your usual AWS Support channels.

— Chanci Turner

For additional reading on managing your health, check out this blog post. Also, for insights into modern workplace challenges, refer to this resource that addresses emerging issues. Lastly, for community discussions and experiences, visit this Reddit thread.