On foot of the recent launch of the AWS Certificate Manager service, we decided to check it out. Here are some of our highlights along with some noteworthy items you may find helpful.
- The acronym for the new service is ACM (AWS Certificate Manager).
- You can programmatically generate certificates, using either the AWS command-line tools or via their APIs (see below).
- Certificates generated via ACM are free of charge.
- The certificates will automatically renew each year.
- Wildcard certificates are also fully supported.
Important to Note
- You can only use the certificates within AWS and so cannot extract them to use with externally hosted web servers.
- Even though you can programmatically generate certificates, there is still a manual validation process that needs to be completed.
- This validation process will be triggered as part of the automatic annual renewal of certificates.
- When generating wildcard certificates (e.g. *.acme.example.com), you must also ensure that you include the non-wildcard (base) address as a Subject Alternative Name so that visitors to the site using only that base address (e.g. https://acme.example.com) will avoid security warnings.
- You do not appear to have control over the name/id of the generated certificate, so if you had devised some tooling around a naming convention for your previous certs (imported from another provider), the ACM certs may not work with this.
This command will generate a wildcard certificate in you default region using your default AWS profile (i.e. account):
$ aws acm request-certificate --domain-name *.acme.example.com --subject-alternative-names acme.example.com
This command shows how to specify the region and profile to be used for the new certificate:
$ aws acm request-certificate --profile default --region us-east-1 --domain-name *.acme.example.com --subject-alternative-names acme.example.com
For more details about the AWS Certificate Manager service, visit https://aws.amazon.com/certificate-manager.