Transcription of AWS Certificate Manager
1 AWS Certificate ManagerUser GuideVersion Certificate Manager User GuideAWS Certificate Manager : User GuideCopyright Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is notAmazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages ordiscredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who mayor may not be affiliated with, connected to, or sponsored by Certificate Manager User GuideTable of ContentsWhat Is AWS Certificate Manager ? .. 1Is ACM the right service for me? .. 1 ACM certificate characteristics .. 1 Supported Regions .. 3 Integrated services .. 3 Site seals and trust 5 General 6 API rate 8 Security .. 9 Data protection .. 9 ACM private key security .. 10 Identity and access management .. 10 Access control.
2 11 Overview of managing access .. 12 Managed 13 Customer managed 15 Inline 15 Service-linked role .. 18 ACM API permissions reference .. 20 Resilience .. 21 Infrastructure security .. 21 Best practices .. 21 AWS CloudFormation .. 21 Certificate pinning .. 22 Domain 22 Adding or deleting domain names .. 22 Opting out of certificate transparency logging .. 23 Turn on AWS CloudTrail .. 24 Setting up .. 25 Set up AWS and 25 Sign up for AWS .. 25 Create an IAM user .. 25 Register a domain name .. 26(Optional) Configure email .. 26 WHOIS 27MX record .. 27(Optional) Configure CAA .. 27 Issue and manage certificates .. 30 Requesting a public certificate .. 30 Request a public certificate using the console .. 31 Request a public certificate using the CLI .. 32 Requesting a private certificate .. 32 Configuring access to a private CA .. 33 Request a private certificate using the ACM console.
3 33 Request a private certificate using the CLI .. 35 Validate domain ownership .. 36 DNS 36 Email 40 List certificates .. 42 List certificates (console) .. 42 List certificates (CLI) .. 43 Version Certificate Manager User GuideDescribe certificates .. 44 Describe certificates (console) .. 44 Describe certificates (CLI) .. 44 Delete certificates .. 46 Delete certificates (Console) .. 46 Delete certificates (CLI) .. 46 Install certificates .. 46 Managed renewal .. 47 DNS 47 Email 48(Optional) Request email .. 48 Automating email 49 Private PKI certificates .. 50 Check renewal status .. 51 Check the status (console) .. 52 Check the status (API).. 52 Check the status (CLI) .. 52 Check the status using Personal Health Dashboard (PHD) .. 52 Test managed renewal (private PKI) .. 53 Import certificates .. 54 Prerequisites .. 54 Certificate format .. 55 Import certificate .. 56 Import (console).
4 57 Import (AWS CLI) .. 57 Reimport certificate .. 57 Reimport (console) .. 58 Reimport (AWS CLI) .. 58 Export certificate .. 60 Exporting a private certificate (console) .. 60 Export a private certificate (CLI) .. 60 Tag ACM certificates .. 62 Tag restrictions .. 62 Managing 63 Managing tags (console) .. 63 Managing tags (CLI) .. 64 Manage 64 Monitoring and 65 CloudWatch metrics .. 65 Using CloudWatch Events .. 65 Supported events .. 66 Example actions .. 67 Using CloudTrail .. 73 Supported API actions .. 74 API calls for integrated services .. 83 Using the ACM API .. 88 AddTagsToCertificate .. 88 DeleteCertificate .. 89 DescribeCertificate .. 91 ExportCertificate .. 92 GetCertificate .. 94 ImportCertificate .. 96 ListCertificates .. 98 RenewCertificate .. 100 ListTagsForCertificate .. 101 RemoveTagsFromCertificate .. 103 RequestCertificate .. 104 Version Certificate Manager User GuideResendValidationEmail.
5 106 Troubleshooting .. 108 Certificate requests .. 108 Request times out .. 108 Request fails .. 108 Certificate validation .. 110 DNS 110 Email 112 Certificate renewal .. 115 Preparing for automatic domain validation .. 115 Handling failures in managed certificate renewal .. 115 Other problems .. 120 CAA records .. 120 Certificate import .. 120 Certificate pinning .. 121 API Gateway .. 121 Unexpected failure .. 121 Problems with the ACM service-linked role (SLR) .. 122 Handling exceptions .. 3 Private certificate exception handling .. 122 Concepts .. 124 ACM Certificate .. 124 ACM Root CAs .. 125 Apex 126 Asymmetric Key Cryptography .. 126 Certificate Authority .. 126 Certificate Transparency Logging .. 126 Domain Name 127 Domain 127 Encryption and Decryption .. 128 Fully Qualified Domain Name (FQDN) .. 128 Public Key Infrastructure .. 128 Root Certificate .. 129 Secure Sockets Layer (SSL).
6 129 Secure HTTPS .. 129 SSL Server Certificates .. 129 Symmetric Key Cryptography .. 129 Transport Layer Security (TLS) .. 129 Trust .. 129 Document history .. 131 Version Certificate Manager User GuideIs ACM the right service for me?What Is AWS Certificate Manager ?AWS Certificate Manager (ACM) handles the complexity of creating, storing, and renewing public andprivate SSL/TLS certificates and keys that protect your AWS websites and applications. You canprovide certificates for your integrated AWS services (p. 3) either by issuing them directly with ACMor by importing (p. 54) third-party certificates into the ACM management system. ACM certificatescan secure singular domain names, multiple specific domain names, wildcard domains, or combinationsof these. ACM wildcard certificates can protect an unlimited number of subdomains. You can alsoexport (p. 60) ACM certificates signed by ACM Private CA for use anywhere in your internal ACM the right service for me?
7 AWS offers two options to customers deploying managed certificates. Choose the best one foryour Certificate Manager (ACM) This service is for enterprise customers who need a secureweb presence using TLS. ACM certificates are deployed through Elastic Load Balancing, AmazonCloudFront, Amazon API Gateway, and other integrated AWS services (p. 3). The most commonapplication of this kind is a secure public website with significant traffic requirements. ACM alsosimplifies security management by automating the renewal of expiring certificates. You are in the rightplace for this Private CA This service is for enterprise customers building a public key infrastructure (PKI)inside the AWS cloud and intended for private use within an organization. With ACM Private CA, youcan create your own certificate authority (CA) hierarchy and issue certificates with it for authenticatingusers, computers, applications, services, servers, and other devices. Certificates issued by a private CAcannot be used on the internet.
8 For more information, see the ACM Private CA User (p. 124)ACM certificate characteristics (p. 1)Supported Regions (p. 3)Services integrated with AWS Certificate Manager (p. 3)Site seals and trust logos (p. 5)API rate quotas (p. 7)Best practices (p. 21)Pricing for AWS Certificate Manager (p. 8)ACM certificate characteristicsPublic certificates provided by ACM have the characteristics described in this Certificate Manager User GuideACM certificate characteristicsNoteThese characteristics apply only to certificates provided by ACM. They might not apply tocertificates that you import into ACM (p. 54).Domain Validation (DV)ACM certificates are domain validated. That is, the subject field of an ACM certificate identifies adomain name and nothing more. When you request an ACM certificate, you must validate that youown or control all of the domains that you specify in your request. You can validate ownership byusing email or DNS. For more information, see Option 2: Email validation (p.)
9 40) and Option 1:DNS validation (p. 36).Validity PeriodThe validity period for ACM certificates is 13 months (395 days).Managed Renewal and DeploymentACM manages the process of renewing ACM certificates and provisioning the certificatesafter they are renewed. Automatic renewal can help you avoid downtime due to incorrectlyconfigured, revoked, or expired certificates. For more information, see Managed renewal for ACMcertificates (p. 47).Browser and Application TrustACM certificates are trusted by all major browsers including Google Chrome, Microsoft InternetExplorer and Microsoft Edge, Mozilla Firefox, and Apple Safari. Browsers that trust ACM certificatesdisplay a lock icon in their status bar or address bar when connected by SSL/TLS to sites that useACM certificates. ACM certificates are also trusted by Domain NamesEach ACM certificate must include at least one fully qualified domain name (FQDN), and you canadd additional names if you want. For example, when you are creating an ACM certificate , you can also add the name if customers can reach yoursite by using either name.
10 This is also true of bare domains (also known as the zone apex or nakeddomains). That is, you can request an ACM certificate for and add the For more information, see Requesting a public certificate (p. 30).Wildcard NamesACM allows you to use an asterisk (*) in the domain name to create an ACM certificate containinga wildcard name that can protect several sites in the same domain. For example, *. and you request a wildcard certificate, the asterisk (*) must be in the leftmostposition of the domain name and can protect only one subdomain level. For example,*. can protect and , but itcannot protect Also note that *. protectsonly the subdomains of , it does not protect the bare or apex domain( ). However, you can request a certificate that protects a bare or apex domainand its subdomains by specifying multiple domain names in your request. For example, youcan request a certificate that protects and *. certificate must specify an algorithm and key size.