Free SSL Certificates using ACM (AWS Certificate Manager)

Posted on Tue 16 February 2016 in aws

2016 may be the year of free SSL, and AWS ACM (AWS Certificate Manager) is a great offering for Cloudfront & ELB users (most web apps).

Not only is it free, but it's also the simplest certificate management platform

  • request a new certificate in minutes
  • no server config needed
  • no certificate , chain or private key management
  • automatic certificate rotation

Here's how to create a certificate and then install it onto your cloudfront distribution.

Requesting a New Certificate

aws acm request-certificate --domain-name \*.mydomain.com --subject-alternative-names  mydomain.com
{
    "CertificateArn": "arn:aws:acm:us-east-1:OOOOOOOOOOOO:certificate/c3d15000-230c-4000-8000-a600000"
}

Activating the Certificate on Cloudfront

This part requires a few steps:

1. Get the configuration skeleton

# show just the first few lines for example
aws cloudfront update-distribution --generate-cli-skeleton|head -n 5
{
    "DistributionConfig": {
        "CallerReference": "", 
        "Aliases": {
            "Quantity": 0,

Save this to a file and update the ViewerCertificate with this block

2. Update The Viewer Certificate

Make sure the "Certifcate" param is your ACM Certificate ARN from above.

"ViewerCertificate": {
                    "SSLSupportMethod": "sni-only", 
                    "MinimumProtocolVersion": "TLSv1", 
                    "Certificate": "arn:aws:acm:us-east-1:OOOOOOOOOOOO:certificate/c3d15000-230c-4000-8000-a600000" ,
                    "CertificateSource": "acm"
                },

3. Update your DistributionConfig

$ aws cloudfront update-distribution --id DISTRIBUTION_ID --cli-input-json file://CONFIG_FILE.json

At this point you can test using https://mydomain.com:443 and make sure the certificates look good. A great testing tool is the Symantec Tool

See the ACM docs for more info

aws ssl security