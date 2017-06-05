Amazon Web Services (AWS) announced recently its AWS Certificate Manager service in the AWS GovCloud (US) region that lets users provision, manage, and deploy Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the internet.

AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. With AWS Certificate Manager, users can request a certificate, deploy it on AWS resources such as Elastic Load Balancers or Amazon CloudFront distributions, and let AWS Certificate Manager handle certificate renewals. SSL/TLS certificates provisioned through AWS Certificate Manager are free, and customers must pay only for the AWS resources they create to run application.

SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to web sites using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as public key infrastructure (PKI). PKI provides a way for one party to establish the identity of another party using certificates if they both trust a third party, known as a certificate authority.

Customers can also request and provision SSL/TLS certificates and deploy them for sites and applications that use Elastic Load Balancing, Amazon CloudFront, or Amazon API Gateway. After validating ownership of the requested domain and the certificate is issued, users can select the SSL/TLS certificate from a drop-down list in the AWS Management Console to deploy it. Alternatively, they can deploy certificates provided by ACM to AWS resources using AWS Command Line Interface (CLI) commands or API calls. ACM manages certificate renewals and certificate deployment.

ACM makes it easier to enable SSL/TLS for a website or application on the AWS platform. ACM eliminates many of the manual processes previously associated with using SSL/TLS and managing SSL/TLS certificates. ACM can also help avoid downtime due to misconfigured, revoked, or expired certificates by managing renewals, and get SSL/TLS protection and easy certificate management. Enabling SSL/TLS can help improve the search rankings for the site and help meet regulatory compliance requirements for encrypting data in transit.

When using ACM, certificate private keys are securely protected and stored using strong encryption and key management best practices. ACM lets users centrally manage all of the SSL/TLS certificates provided by AWS Certificate Manager in an AWS Region using the AWS Management Console, AWS CLI, or AWS Certificate Manager APIs. AWS Certificate Manager is integrated with other AWS services, so that users can request an SSL/TLS certificate and provision it with the Elastic Load Balancing load balancer or Amazon CloudFront distribution from the AWS Management Console, through AWS CLI commands, or with API calls.

Customers can use the AWS Management Console, AWS CLI, or ACM APIs/SDKs. To use the AWS Management Console, navigate to the ACM portion of the Console, choose Request a Certificate, enter the domain name for the site, and follow the instructions on the screen to complete request; and can add additional domain names to request if users can reach site by other names. An email is sent to the domain owner requesting approval to issue the certificate. After receiving approval from the domain owner for each domain name in the request, the certificate is issued and ready to be provisioned with other AWS services, such as elastic load balancing or Amazon CloudFront.

Certificates provided by ACM are trusted by most modern browsers, operating systems, and mobile devices. ACM-provided certificates have 99 percent browser and operating system ubiquity, including Windows XP SP3 and Java 6 and later. Browsers that trust certificates provided by ACM display a lock icon and do not issue certificate warnings when connected to sites that use certificates provided by ACM over SSL/TLS, for example using HTTPS.

Certificates provided by ACM are verified by Amazon’s certificate authority (CA). Any browser, application, or OS that includes the Amazon Root CA 1, Starfield Services Root Certificate Authority – G2, or Starfield Class 2 Certification Authority trusts certificates provided by ACM.

Each certificate must include at least one domain name and can add additional names to the certificate if users want to. For example, users can add the name “www.example.net” to a certificate for “www.example.com” if users can reach the site by either name, while owning and controlling all of the names included in the certificate request.