How to secure website hosted on AWS with free SSL Certificate from AWS Certificate Manager (ACM)?

July 18, 2018 | Comments(2) |

When we have a website that requires user to login or provide any sensitive financial information, how far do our customers trust the website to provide such information?

We have come across so many incidents where the credit card numbers are hacked & misused. Do our customers ever verify if the website they’re planning to make payments at are secured & trust-worthy? How do we make sure the customer feels safe to provide these information on our website?

To get through all these challenges in business, we need to secure our website with HTTPS.

Now, what is HTTPS?

HTTP is the networking protocol that enables the client-server communication over the network. HTTPS is the secured version of the HTTP protocol. S stands for Secured.

  • HTTPS means the site is safe & secured
  • Communication between the browser & the website is encrypted
  • Communication between the browser and the website are on SSL (Secure Sockets Layer) Port 443

SSL is a common term when it comes to the security of a website. This is the industry standard to protect websites & its online transactions. Enabling or setting up SSL on our website makes sure the information between the browser and the website is encrypted while transferring over internet.

SSL Cerrificate from AWS Certificate Manager

There are multiple DNS service providers who also provide SSL Certificates for the website’s domain purchased through them. Below are the steps to be followed with any third party SSL Certificate provider.

Step 1: Configure the server with a unique IP address.

Step 2: Generate a Certificate Signing Request (CSR) & a private key for the SSL Certificate and give it to a Certificate Authority (CA). Major CA players in the market are GoDaddy, Comodo, Let’s Encrypt, DigiCert, etc., These third party CAs charge a yearly price for the issued SSL Certificates. For example: GoDaddy costs around Rs.549/- for the first year, followed by Rs. 2,400/- per year.

Step 3: Provide appropriate information for the CA to validate your domain.

Step 4: CA issues the SSL Certificate after validation. Activate the certificate.

Step 5: Install the certificate on the server where the website is hosted.

Step 6: Update the website configurations to use HTTPS.

Step 7: The SSL Certificates requires to be renewed. Make a note to renew the certificate before expiration.

Now, If your infrastructure is hosted on AWS Cloud, you can leverage AWS as a Certificate Authority with the service AWS Certificate Manager.

Leveraging AWS Certificate Manager:

AWS provides a service to ease the process of provisioning, managing & deploying the SSL/TLS Certificates. These SSL Certificates can be used for the websites hosted using AWS services. ACM also provides the ability to import the SSL Certificates into ACM & use them in the applications.

More than provisioning the SSL Certificate from the third party, the overhead is with uploading, maintaining and renewing the SSL Certificate. With ACM, the management of SSL Certificates is taken care by AWS.

Provisioning of SSL Certificate from the AWS Certificate Manager is just with few clicks following the below steps:

  • Provide the domain name of the website or application for which SSL Certificate needs to be provisioned
  • Verify the domain name for validation
  • Domain owner needs to approve the validation request
  • ACM Certificate is provisioned & ready to be used with other AWS services

Steps to provision ACM SSL Certificate:

Provide AWS Certificate Manager

1. Provide the domain name

SSL Cerrificate from AWS Certificate Manager

2. Domain name validation:

The validation is to confirm if the domain for which we are requesting the certificate is actually owned by the requestor. There are two methods of validation for domain owners, namely:

  • DNS Validation
  • Email Validation

DNS Validation

i. Choose the validation method as DNS validation to modify & validate the DNS entry of the mentioned domain

DNS Validation

ii. Review the details of the domain & click on Confirm and request

AWS Certificate Manager DNS Validation Confirm Request

If the domain is hosted with Route 53, ACM can directly update the Hosted Zone of the domain with a new record set (CNAME record set). This can be done by clicking on Create Record in Route53 or we can manually update the record set in Route 53.

If the domain is not hosted with Route 53, we need to update the CNAME record of the DNS configuration of our domain.

AWS Certificate Manager DNS Validation Cname

iii. Click Create, this will create a new record set in the Route 53 Hosted Zone

AWS Certificate Manager DNS Validation

iv. Check for the Hosted Zone to verify if ACM has created a record set for the certificate

AWS Certificate Manager DNS Validation

Email Validation

i. Choose validation method as Email Validation, if we do not have permission to update the DNS configuration. This method will send an Email to all the domain owners for validation. Once the domain owners’ approve, AWS ACM issues a SSL Certificate to that particular domain.

AWS Certificate Manager Email Validation

ii. After approval of the certificate, ACM Certificate is ready to be used & is displayed in the ACM console

AWS Certificate Manager Email Validation

The issued ACM Certificate cannot be directly deployed on the webservers like Apache or Nginx. The ACM Certificates can be deployed on websites which use either of the following services:

  • Elastic Load Balancing
  • Amazon CloudFront
  • AWS CloudFormation
  • Amazon API Gateway
  • AWS Elastic Beanstalk

Limits of ACM:

  • Number of ACM Certificates per AWS Account – 100 {Default limit}
  • Number of ACM Certificates per year – twice the account limit
  • Number of domain names per ACM Certificate – 10
  • Number of imported certificates per AWS Account – 100

Advantages of ACM:

  • Managed Renewal: AWS manages the auto-­­­­­­­­­­­­­­­­­­­­­­renewal of certificates before expiry
  • Browser & Application Trustable: All major browsers trust ACM Certificate as a public SSL Certificate
  • Supports Wildcard Certificates: Allows certificate with *(wildcard) domain names
  • Validity: Each ACM Certificate is valid for 13 months
  • Cost: SSL/TLS Certificates by ACM are free

We have used this method to implement SSL for multiple clients whose websites are hosted on AWS. In case you are looking to have ACM setup quicky for your website / application, kindly visit our consulting website, fill up the quick inquiry form and we will get in touch with you within 24 hours.

2 Responses to “How to secure website hosted on AWS with free SSL Certificate from AWS Certificate Manager (ACM)?”

Leave a Reply