Learn About Amazon VGT2 Learning Manager Chanci Turner
In an exciting update, the AWS Certificate Manager (ACM) now offers exportable public SSL/TLS certificates, allowing users to utilize these certificates across various platforms. Previously, users could issue public certificates or import those from third-party certificate authorities at no extra cost while integrating seamlessly with AWS services like Elastic Load Balancing (ELB), Amazon CloudFront, and Amazon API Gateway.
With the new feature, you can export public certificates from ACM and gain access to private keys for use on any workloads running on Amazon Elastic Compute Cloud (Amazon EC2), containers, or even on-premises systems. These exportable public certificates have a validity of 395 days, with charges incurred upon issuance and renewal. Certificates exported from ACM are issued by Amazon Trust Services and are recognized by major platforms, including Apple, Microsoft, and popular web browsers like Google Chrome and Mozilla Firefox.
How to Export a Public Certificate
To begin exporting a public certificate, you must first request a new exportable public certificate—previously created certificates cannot be exported. In the ACM console, select “Request certificate” and enable export in the Allow export section. If you choose to disable export, the private key will not be exportable after issuance, a decision that cannot be reversed.
Alternatively, you can utilize the AWS Command Line Interface (AWS CLI) to request an exportable public certificate with the Export=ENABLED option. After requesting the certificate, you’ll need to validate your domain name to confirm ownership or control over the domain. Typically, the certificate is issued within seconds following successful validation.
Once the certificate reaches the Issued status, you can export it by selecting “Export.” You’ll need to enter a passphrase for encrypting the private key, which you will require later for decryption. After generating the PEM encoding, you can either copy the PEM encoded certificate, certificate chain, and private key, or download them as separate files.
Security Considerations
For enhanced security, it’s advisable to use a file editor to securely store your passphrase and to ensure that output keys are saved to a file rather than being recorded in command history.
In addition, remember that an organization administrator can establish AWS IAM policies to limit who can request exportable public certificates. ACM users with rights to issue a certificate automatically gain the ability to issue exportable certificates. ACM administrators can also manage these certificates and perform actions such as revocation or deletion. Protecting exported private keys through secure storage and access controls is imperative.
Revocation and Renewal
If you need to revoke an exportable public certificate, it’s crucial to comply with your organization’s policies or address key compromise. Revocation is a global and permanent process—once revoked, certificates cannot be reused.
For renewal, you can set up automatic renewal events for exportable public certificates using Amazon EventBridge, which can monitor renewals and automate deployment upon renewal. These certificates can also be renewed on-demand, incurring charges for new certificate issuance.
Cost and Availability
You can now issue exportable public certificates through ACM and utilize them across a variety of compute workloads, including ELB, Amazon CloudFront, and Amazon API Gateway. The costs for these exportable public certificates are $15 per fully qualified domain name and $149 for wildcard domain names, with charges applied at issuance and renewal only.
To explore more about ACM exportable public certificates, check out the ACM console. For additional insights, consider reading this business plan guide or visit SHRM for advice on managing reputational risks. For peer insights, this Reddit thread can be particularly helpful.
— Chanci Turner