AWS Certificate Manager (ACM) – Requesting Public Certificates | Deep Dive.

 

twtech deep dive into AWS Certificate Manager (ACM) – Requesting Public Certificates.

Break down:

•        Overview of Public ACM Certificate,
•        How Public Certificates Are Requested and Validated,
•        Sample Architecture Diagram,
•        Implementation via AWS CLI or CloudFormation,
•        Security and Trust Model,
•        Advanced Topics (insights),
•        Best Practices.

 1. Overview of Public ACM Certificate

·       AWS Certificate Manager (ACM) can provision, manage, and deploy SSL/TLS certificates to secure network communications for AWS services (e.g., CloudFront, ALB, API Gateway, etc.).

·       There are two types of certificates in ACM:

•         Public certificates – Issued by Amazon’s public CA (Amazon Trust Services) and trusted by browsers and clients globally.
•         Private certificates – Issued by twtech ACM Private CA (PCA) inside AWS.

 2. How Public Certificates Are Requested and Validated

Here’s the core architecture and flow when requesting ACM public certificates.

Architecture Components

Component	Role
AWS Certificate Manager (ACM)	Manages request, validation, issuance, and renewal.
Amazon Trust Services (ATS)	The Certificate Authority (CA) that issues the certificate.
Route 53 or External DNS Provider	Used for DNS validation.
Requester Account	AWS account where the certificate is requested.
Target Services	AWS resources using the certificate (ALB, CloudFront, etc.).

 Request and Validation Flow

1. Request Initiation
• twtech requests a certificate for one or more domain names (e.g., twtechapp.com, *.twtechapp.com).
• The request can be made via:
• AWS Management Console
• AWS CLI
• AWS SDKs / APIs
• CloudFormation
2. Validation Method Selection
• DNS Validation (recommended) – ACM provides a CNAME record; twtech adds it to its DNS.
• Email Validation – ACM sends verification emails to WHOIS or twtech domain admin contacts.
3. Validation Ownership Check
• The CA (Amazon Trust Services) confirms that twtech controls the domain by:
• Detecting the CNAME record in DNS, or
• Receiving a confirmation from the validation email.
4. Certificate Issuance
• Once validated, ACM issues the public certificate.
• Certificates are valid for 13 months (395 days).
• ACM automatically renews them if validation is still in place.
5. Deployment
• Certificates can be attached to:
• CloudFront distributions
• Application/Network Load Balancers
• API Gateway custom domains
• Elastic Beanstalk environments
6. Automatic Renewal

• ACM handles renewals automatically.
• If DNS validation is configured correctly, renewals occur without manual intervention.

 3. Sample Architecture Diagram

Here’s a diagram of the process:

4. Implementation via AWS CLI or CloudFormation

AWS CLI Example

# bash

aws acm request-certificate \

  --domain-name twtechapp.com \

  --subject-alternative-names *.twtechapp.com \

  --validation-method DNS \

  --idempotency-token twtechtoken-123 \

  --options CertificateTransparencyLoggingPreference=ENABLED

After running this command:

• ACM returns an ARN for the certificate.
• twtech can then call describe-certificate to get the CNAME record for DNS validation.

# bash

aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-2:accountID:certificate/twtechcertID

NB:

twtech needs to add the CNAME record to Route 53 (or another DNS provider).
Once validated, the certificate is automatically issued.

# CloudFormationSample.yaml

# yaml

Resources:

  PublicCertificate:

    Type: AWS::CertificateManager::Certificate

    Properties:

      DomainName: twtechapp.com

      SubjectAlternativeNames:

        - "*.twtechapp.com"

      ValidationMethod: DNS

      DomainValidationOptions:

        - DomainName: twtechapp.com

          HostedZoneId: <twtechHzId-Z123456ABCDEF>

NB:

ACM automatically creates the DNS validation records in the specified Route 53 Hosted Zone.

 5. Security and Trust Model

Feature	Description
CA Trust	Issued by Amazon Trust Services (trusted by all major browsers).
Key Management	Private keys are managed internally by ACM — twtech cannot export public certificates’ private keys.
Certificate Transparency (CT)	Enabled by default — all issued certs are logged to CT logs for auditing.
Renewal Security	ACM revalidates domain ownership before renewal.
Regional Behavior	ACM public certs are regional, except for CloudFront, which uses us-east-1 (N. Virginia) only.

 6. Advanced Topics (insights)

A. Cross-Region and Cross-Account Usage

• ACM certificates are regional.
• To use in multiple Regions or accounts:
• Request the cert in each Region.
• Use AWS Certificate Manager Private Certificate Authority (PCA) or ACM exportable private certs if key sharing is required.
• Automate issuance with AWS Lambda, AWS Step Functions, and Service Catalog for multi-account provisioning.

B. Automation with Route 53 and CloudFormation

• Use DNS validation with Route 53 for zero-touch renewals.
• With Infrastructure as Code (IaC), certificates can be auto-provisioned in CI/CD pipelines.

C. Integration with AWS Services

Service	Integration
ALB / NLB	Attach directly in listener configuration.
CloudFront	Must be in us-east-1.
API Gateway	Associate with custom domain name.
Elastic Beanstalk	Configure via environment options.

7. Best Practices

Category	Best Practice
Validation	Always use DNS validation for automation.
Region	Request in us-east-1 if used for CloudFront.
Automation	Integrate ACM request and DNS record creation into CI/CD pipelines.
Renewal	Keep DNS validation CNAME records permanently in place.
Visibility	Monitor ACM events using CloudWatch Events / EventBridge for renewals and expirations.
Security	Do not share certs between accounts — request new certs instead.