Secure Your Infrastructure With Certificates Using AWS Certificate Manager
Read time: 14 minutes, 33 seconds
A digital certificate is a crucial component in securing infrastructure and ensuring the authenticity of users, applications, devices, servers, and more. The digital certificate provides a way to perform authentication and authorize services and execute tasks such as initiating HTTPS connection, establishing an encrypted connection using asymmetric encryption, and check if a user, website, or device is authentic. Digital certificates replace the username/password combination used for authentication and also introduces more functionalities. For example, if two parties intend to initiate a secure connection using public keys, the public key would be attached to the digital certificate. This rapidly reduces the chances of man in the middle attacks and keeps the connection secure.
But managing these digital certificates needs proper infrastructure. Digital certificates are issued by Certificate Authorities (CA). If a public trusted CA issues the digital certificate, then all browsers would automatically trust the certificate after checking if the certificate is valid. If the CA is not trusted, or the certificate is self-signed (implying not issued by CA), then either we would need to explicitly trust the certificate or get a warning in the browser.
AWS Certificate Manager (ACM) provides a way to create, store and renew public and private SSL/TLS X.509 certificates, including the public and private keys. These certificates can be used to secure websites and applications hosted on AWS.
Amazon Web Services Certificate Manager (ACM)
AWS Certificate Manager is a service by Amazon that lets a user provision, manage, and deploy public and private SSL/TLS certificates that can be used with AWS services and internal connected resources. SSL/TLS certificates would be used to establish a secure network connection and prove a website’s identity and resources in a private network. ACM acts to purchase, manage and renew SSL/TLS certificates and deploy them into the infrastructure, directly saving time and improving manageability.
AWS offers two options to customers deploying managed X.509 certificates. Organizations can choose the best one for their needs.
- AWS Certificate Manager (ACM)
- ACM Private CA
ACM Private CA
ACM Private CA is a service for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization. With ACM Private CA, users can create their certificate authority (CA) hierarchy and issue certificates to authenticate users, computers, applications, services, servers, and other devices. Certificates issued by a private CA cannot be used on the internet.
AWS Certificate Manager generates X.509 version 3 certificates. Each certificate is valid for 13 months and contains the following extensions:
- Basic Constraints- specifies whether the subject of the certificate is a certification authority (CA).
- Authority Key Identifier- enables identification of the public key corresponding to the private key used to sign the certificate.
- Subject Key Identifier- enables identification of certificates that contain a particular public key.
- Key Usage- defines the purpose of the public key embedded in the certificate.
- Extended Key Usage- specifies one or more purposes for which the public key may be used in addition to the purposes identified by the Key Usage extension.
- CRL Distribution Points- specifies where CRL information can be obtained.
ACM Root CAs
|Distinguished Name||Encryption Algorithm|
|CN=Amazon Root CA 1, O=Amazon, C=US||2048-bit RSA (RSA_2048)|
|CN=Amazon Root CA 2, O=Amazon, C=US||4096-bit RSA (RSA_4096)|
|CN=Amazon Root CA 3, O=Amazon, C=US||Elliptic Prime Curve 256 bit (EC_prime256v1)|
|CN=Amazon Root CA 4, O=Amazon, C=US||Elliptic Prime Curve 384 bit (EC_secp384r1)|
The default root of trust for ACM-issued certificates is CN=Amazon Root CA 1, O=Amazon, C=US, which offers 2048-bit RSA security. The other roots are reserved for future use. All of the roots are cross-signed by the Starfield Services Root Certificate Authority certificate.
ACM Certificate characteristics
Certificates provided by ACM have specific characteristics applied to them. If the certificate is imported into the ACM, the characteristics might not apply. The characteristics in public certificates are:
- Domain Validation: ACM certificates are domain validated which is attached to the subject field of an ACM certificate. When an ACM certificate is requested, the organization must validate that they own, control, and manage all the domains specified in the request. Users can validate domain ownership by using email or via DNS.
- Validity Period: The validity period for ACM certificates is 13 months or 395 days.
- Managed Renewal and Deployment: ACM manages the process of renewing ACM certificates and provisioning the certificates after they are renewed. Automatic renewal can help organizations avoid downtime due to incorrectly configured, revoked, or expired certificates.
- Browser and application trust:
ACM certificates are trusted by all major browsers, including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. Browsers that trust ACM certificates display a lock icon in their status bar or address bar when connected by SSL/TLS to sites that use ACM certificates. Java also trusts ACM certificates.
- Multiple domain names: Each ACM certificate must include at least one fully qualified domain name (FQDN), and users can add additional names if they want. For example, when users create an ACM certificate for www.encryptionconsulting.com, users can also add the name www. encryptionconsulting.net if they can reach their site using either name. This is also true of bare domains (also known as the zone apex or naked domains). That is, users can request an ACM certificate for www. encryptionconsulting.com and add the name encryptionconsulting.com.
- Wildcard domain names: ACM allows users to use an asterisk (*) in the domain name to create an ACM certificate containing a wildcard name that can protect several sites in the same domain. For example, *.encryptionconsulting.com covers www.encryptionconsulting.com and images.encryptionconsulting.com.
- Algorithms: A certificate must specify an algorithm and key size. Currently, the following public-key algorithms are supported by ACM:
- 2048-bit RSA (RSA_2048)
- 4096-bit RSA (RSA_4096)
- Elliptic Prime Curve 256 bit (EC_prime256v1)
- Elliptic Prime Curve 384 bit (EC_secp384r1)
Disadvantages of using ACM Certificate
- ACM does not provide extended validation (EV) certificates or organization validation (OV) certificates.
- ACM does not provide certificates for anything other than the SSL/TLS protocols.
- Organizations cannot use ACM certificates for email encryption.
- ACM allows only UTF-8 encoded ASCII for domain names, including labels that contain “xn--” (Punycode). ACM does not accept Unicode input (u-labels) for domain names.
- ACM does not currently permit users to opt-out of managed certificate renewal for ACM certificates. Also, managed renewal is not available for certificates that organizations import into ACM.
- Users cannot request certificates for Amazon-owned domain names such as those ending in amazonaws.com, cloudfront.net, or elasticbeanstalk.com.
- Users cannot download the private key for an ACM certificate.
- Users cannot directly install ACM certificates on their Amazon Elastic Compute Cloud (Amazon EC2) website or application. Users can, however, use their certificate with any integrated service.
Services integrated with AWS Certificate Manager
AWS Certificate Manager supports a growing number of AWS services. Organizations cannot install their ACM certificate or their private ACM Private CA certificate directly on their AWS-based website or application.
- Elastic Load Balancing: Elastic Load Balancing automatically distributes the organization’s incoming application traffic across multiple Amazon EC2 instances. It detects unhealthy instances and reroutes traffic to healthy instances until the unhealthy instances have been restored. Elastic Load Balancing automatically scales its request handling capacity in response to incoming traffic.
In general, to serve secure content over SSL/TLS, load balancers require that SSL/TLS certificates be installed on either the load balancer or the back-end Amazon EC2 instance. ACM is integrated with Elastic Load Balancing to deploy ACM certificates on the load balancer.
- Amazon CloudFront: Amazon CloudFront is a web service that speeds up the distribution of an organization’s dynamic and static web content to end-users by delivering their content from a worldwide network of edge locations. When an end-user requests content that they are serving through CloudFront, the user is routed to the edge location that provides the lowest latency. This ensures that content is delivered with the best possible performance. If the content is currently at that edge location, CloudFront delivers it immediately. If the content is not currently at that edge location, CloudFront retrieves it from the Amazon S3 bucket or web server that users have identified as the definitive content source.
To serve secure content over SSL/TLS, CloudFront requires that SSL/TLS certificates be installed on either the CloudFront distribution or on the backed content source. ACM is integrated with CloudFront to deploy ACM certificates on the CloudFront distribution.
- AWS Elastic Beanstalk: Elastic Beanstalk helps users deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. AWS Elastic Beanstalk reduces management complexity. Users upload their applications, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and health monitoring. Elastic Beanstalk uses the Elastic Load Balancing service to create a load balancer.
Yours must configure the load balancer for their application in the Elastic Beanstalk cons to choosing a certificate role.
- Amazon API Gateway: With the proliferation of mobile devices and the Internet of Things (IoT), it has become increasingly common to create APIs that can be used to access data and interact with back-end systems on AWS. Users can use API Gateway to publish, maintain, monitor, and secure their APIs. After the user deploys their API to API Gateway, users can set up a custom domain name to simplify access. To set up a custom domain name, users must provide an SSL/TLS certificate. They can use ACM to generate or import the certificate.
- AWS Nitro Enclaves: AWS Nitro Enclaves is an Amazon EC2 feature that allows users to create isolated execution environments, called enclaves, from Amazon EC2 instances. Enclaves are separate, hardened, and highly constrained virtual machines. They provide only secure local socket connectivity with their parent instance. They have no persistent storage, interactive access, or external networking. Users cannot SSH into an enclave. The data and applications inside the enclave cannot be accessed by the parent instance’s processes, applications, or users (including root or admin).
- AWS CloudFormation: AWS CloudFormation helps users’ model and set up their Amazon Web Services resources. Users create a template that describes the AWS resources they want to use, such as Elastic Load Balancing or API Gateway. Then AWS CloudFormation takes care of provisioning and configuring those resources for them. Users don’t need to individually create and configure AWS resources and figure out what’s dependent on what; AWS CloudFormation handles all of that. ACM certificates are included as a template resource, which means that AWS CloudFormation can request ACM certificates that users can use with AWS services to secure connections.
With the powerful automation provided by AWS CloudFormation, it is easy to exceed their certificate quota, especially with new AWS accounts.
Data Protection in AWS Certificate Manager
The AWS shared responsibility model applies to data protection in AWS Certificate Manager. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. Organizations are responsible for maintaining control over their content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that organizations use.
We recommend that organizations protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management (IAM) for data protection purposes. That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that organizations secure their data in the following ways:
- Use multi-factor authentication (MFA) with each account.
- Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
- Set up API and user activity logging with AWS CloudTrail.
- Use AWS encryption solutions, along with all default security controls within AWS services.
- Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.
- If users require FIPS 140-2 validated cryptographic modules when accessing AWS through a command-line interface or an API, use a FIPS endpoint.
We strongly recommend that users never put sensitive identifying information, such as their customers’ account numbers, into free-form fields such as a Name field. This includes when users work with ACM or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that they enter into ACM or other services might get picked up for inclusion in diagnostic logs. When they provide a URL to an external server, don’t include credentials information in the URL to validate their request to that server.
ACM Private Key security
When users request a public certificate (p. 30), AWS Certificate Manager (ACM) generates a public/ private key pair. For imported certificates (p. 54), users generate the key pair. The public key becomes part of the certificate. ACM stores the certificate and its corresponding private key and uses AWS Key Management Service (AWS KMS) to help protect the private key. The process works like this:
- The first-time users request or import a certificate in an AWS Region, ACM creates an AWS managed customer master key (CMK) in AWS KMS with the alias AWS/ACM. This CMK is unique in each AWS account and each AWS Region.
- ACM uses this CMK to encrypt the certificate’s private key. ACM stores only an encrypted version of the private key; ACM does not store the private key in plaintext. ACM uses the same CMK to encrypt the private keys for all certificates in a specific AWS account and a specific AWS Region.
- When users associate the certificate with a service integrated with AWS Certificate Manager, ACM sends the certificate and the encrypted private key to the service. A grant is also created in AWS KMS, allowing the service to use the CMK in AWS KMS to decrypt the certificate’s private key.
- Integrated services use the CMK in AWS KMS to decrypt the private key. Then the service uses the certificate and the decrypted (plaintext) private key to establish secure communication channels (SSL/ TLS sessions) with its clients.
- When the certificate is disassociated from an integrated service, the grant created in step 3 is retired. This means the service can no longer use the CMK in AWS KMS to decrypt the certificate’s private key.
Request a public certificate using the console
To request an ACM general certificate (console):
- Sign in to the AWS Management Console and open the ACM console Choose request a certificate.
- On the request a certificate page, choose the request a public certificate and request a certificate to continue.
- On the Add domain names page, type their domain name. Users can use a fully qualified domain name (FQDN), such as www.encryptionconsulting.com, or a bare or apex domain name such as encryptionconsulting.com. Users can also use an asterisk (*) as a wild card in the leftmost position to protect several site names in the same domain. For example, *.encryptionconsulting.com protects corp.encryptionconsulting.com and images.encryptionconsulting.com. The wild card name will appear in the Subject field and the Subject Alternative Name extension of the ACM certificate.
- To add another name, choose to add another name to this certificate and type the name in the text box. This is useful for protecting both a bare or apex domain (such as encryptionconsulting.com) and subdomains such as *.encryptionconsulting.com).
- On the Select validation method page, choose either DNS validation or Email validation, depending on their needs.
Before ACM issues a certificate, it validates that user own or control the domain names in their certificate request. Users can use either email validation or DNS validation. If they choose email validation, ACM sends validation emails to three contact addresses registered in the WHOIS database and five common system administration addresses for each domain name. Users or an authorized representative must reply to one of these email messages.
- On the Add Tags page, users can optionally tag their certificate. Tags are key/value pairs that serve as metadata for identifying and organizing AWS resources.
When users finish adding tags, choose Review.
- If the Review page contains correct information about their request, choose Confirm and request. A confirmation page shows that their request is being processed and that certificate domains are being validated. Certificates awaiting validation are in the Pending validation state.
AWS Services by Encryption Consulting
Encryption Consulting provides AWS Data Protection Services, where we provide our expertise on scalability, cost-effectiveness, and ease of implementation. Amazon Web Services (AWS) is a leading cloud service provider with a wide range of services. It is estimated that 41.5% of total cloud users are consumers of AWS Cloud Services. Amazon has over 1 million users in 190 countries. One-third of internet users are estimated to visit a website using Amazon Web Services. With such a vast customer base and services, there is an imminent threat of data breach and loss.
Organizations utilizing AWS web services and applications are responsible for securing their sensitive and critical data stored in the cloud. Amazon Web Services (AWS) provides easy deployment and management of its IT operations; however, a challenge is that mistakes can happen and cascade to a more significant impact.
For instance, the misconfiguration of a data store can expose sensitive information such as personally identifiable information (PII), payment card industry (PCI) data, or protected health information (PHI).
A reputed marketing analytics company did not configure appropriate security controls on an Amazon Simple Storage Service (Amazon S3) within their AWS environment in a recent breach event. As a result of this misconfiguration of AWS, data related to 123 million households were leaked, including sensitive data such as home addresses, occupation, and mortgage information.
Encryption Consulting LLC will help your organization with its expertise in Cloud platforms and security services in deploying data protection controls in your AWS Cloud environment. Learn more about our services here. Also, you can read about a case study we did on Data Protection Service here.
AWS Certificate Management provides a way to manage SSL/TLS certificates easily and integrate those certificates in the AWS environment to keep devices, websites, and infrastructure secure. Even though regular SSL/TLS certificates are used, ACM has a few advantages and disadvantages, making it different from how SSL/TLS certificates have typically been used. In Encryption Consulting, we provide a detailed assessment and solution to organizations that make secure and scalable infrastructure while maintaining efficiency and keeping minimal cost.