About

Blog

Contact

The Easiest Way to Create and Deploy Certificates on AWS

November 4, 2019 ยท 2 minutes read

The easiest way to create and deploy SSL certificates for AWS services (such as CloudFront, API Gateway, Elastic Load Balancer etc) is through the AWS Certificate Manager. This approach automates the more cumbersome certificate provisioning steps and ensures that the deployment of the certificate is usually as simple as selecting it from a dropdown within the desired AWS service that requires it (or by referencing the ARN if you are managing infrastructure-as-code).

When you are also using Route53 for your domain name, there is the added benefit of being able to perform the validation of the certificate through DNS. There is even a simple button to automatically create the CNAME record needed to assist in the validation.

What you need to know

Before you can create a certificate, you will need to know the Domain Name which you want to create the certificate for. A certificate can have multiple records associated with it (e.g. dev.example.com and test.example.com) or use a wildcard such as *.example.com.

What you need to provide

If the certificate is going to be used in other automated provisioning scripts, you will need to make sure that the authors or operators of the scripts have the certificate ARN. This will be created at the end of the certificate creation process and is typically in the following format:

`arn:aws:acm:REGION:ACCOUNT_ID:certificate/CERTIFICATE_ID`

Step-by-step

These steps explain how to create the certificate

  1. Go to Services and select Certificate Manager
  2. Select Request a certificate
  3. Choose the option to Request a public certificate
  4. Add the domain names you require and click Next
  5. Choose DNS validation and click Review
  6. Review and then select Confirm and request
  7. On the Validation screen, for each domain name choose the option to Create record in Route 53.
  8. Click Continute
  9. The prompt claims that it can take up to 30 minutes for the DNS changes to propogate and for the domain to be validated, however I have always found it take only a few minutes. Once it is done the status will change from Pending validation to Issued. You can come back to this screen at the any time to retrieve the certificate ARN for use in other services.