Let us understand PKI in AWS:
Services offered through ACM in AWS:
Amazon provides two options for customers to deploy SSL/TLS X.509 certificates. Depending on the business requirement customers can choose from the below options.
- ACM Certificate Manager (ACM) : This service is targeted for customers who need secure web existence using TLS certificates. ACM deploys certificates using AWS services – Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway, and other integrated services. Enterprises with secure public website with significant web traffic can prefer this certificate management service
- ACM Private CA – This service is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) with in AWS Cloud and projected for private use within the organization. Within private CA users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, devices etc.
Note : Certificates issued using Private CA cannot be used on internet
ACM Certificate Characteristics:
Public certificates provided by ACM have the characteristics described in this section. These characteristics only apply to certificates provided by ACM and might not apply to certificates imported to ACM:
|1||Domain Validation (DV)||ACM Certificates are domain validated. Subject field of an ACM Certificate identifies a domain name. Ownership can be validated using email or DNS|
|2||Validity Period for Certificates||13 months|
|3||Managed Renewal and Deployment||Automatic renewal and provisioning of certificates by ACM|
|4||Browser and Application Trust||ACM certificates are trusted by all major browsers including Google Chrome, Microsoft Internet Explorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. ACM Certificates are also trusted by Java|
|5||Multiple Domain Names||Each ACM certificate must include one Fully Qualified Domain Name (FQDN) and additional names can be added further|
|6||Wildcard Names||ACM allows to use an (*) asterisk in domain name to create an ACM certificate that can protect several sites in the same domain|
|7||Algorithms||Public key algorithms supported by ACM:|