93
votes

AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.

They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.

Is there any way to use the certificate with EC2?

4
you could have a look at letsencrypt.org for free and trustable certificates, with contributors such as chrome and facebook it looks pretty goodTom
Ow I didn't know about this. However I think they are right to not allow this. Could you rather create aliases on another domain (through Route53 for example) and not use the default aws dns name provided?Tom
I have just recently come across a video [April - 2020] where they create an SSL \ TLS certificate with AWS Certificate Manager and then put it onto an EC2 Instance behind a load balancer. youtu.be/bWPTq8z1vFY It was really helpful.nktsamba

4 Answers

111
votes

Q: Can I use certificates on Amazon EC2 instances or on my own servers?

No. At this time, certificates provided by ACM can only be used with specific AWS services.


Q: With which AWS services can I use certificates provided by ACM?

You can use ACM with the following AWS services:

• Elastic Load Balancing

• Amazon CloudFront

• AWS Elastic Beanstalk

• Amazon API Gateway

https://aws.amazon.com/certificate-manager/faqs/

You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.

You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.

2
votes

No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.

2
votes

If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html

During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.

https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html

One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.

One downside with this is, private CA is expensive AWS service($400/month). https://aws.amazon.com/certificate-manager/pricing/

0
votes

Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:

  1. Associate an elastic ip with your ec2 instance.

  2. Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.

  3. Through your domain provider's DNS settings have your domain point to your Elastic IP.

  4. Connect to your ec2 instance and add your domain name to the site bindings.

  5. Go to https://github.com/PKISharp/win-acme/releases

  6. Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.

  7. Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.

  8. Run wacs.exe and follow the prompts.

  9. Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.

I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.

https://www.youtube.com/watch?v=fq5OUOjumuM

Also this article might be helpful:

https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows