Saturday, October 25, 2025

AWS Certificate Manager (ACM) & Requesting Public Certificates | Overview.

AWS Certificate Manager (ACM) & Requesting Public Certificates | Overview.

Scope:

  • Intro,
  • How to Request a Public Certificate,
  • Domain Validation Methods,
  • Pricing and Quotas,
  • Key Constraints,
  • Public ACM Certificate (deep dive),
  • The Two types of certificates in AWS Certificate Manager,
  • Steps for Public Certificates Request and Validation,
  • Table for Architecture Components & Role,
  • Request & Validation Flow (Request Initiation --> Validation Method Selection --> Validation Ownership Check --> Certificate Issuance --> Deployment --> Automatic Renewal),
  • Sample Architecture Diagram process,
  • Implementation via AWS CLI or CloudFormation (AWS CLI Sample),
  • Sample CloudFormation stack to Request PublicCert.yaml,
  • Security,Trust Model & Description,
  • Cross-Region & Cross-Account Usage,
  • Automation with Route 53 and CloudFormation,
  • Integration with AWS Services,
  • Best Practices.

Intro:

    • AWS Certificate Manager (ACM) allows twtech to request public SSL/TLS certificates to secure its network communications. 
      • These certificates can be used with integrated AWS services such as:
        •  Elastic Load Balancing, 
        • Amazon CloudFront, 
        •  Amazon API Gateway.
How to Request a Public Certificate
    • twtech can initiate a request through the:
      • AWS Management Console
      • AWS CLI, 
      • ACM API.
    1. Specify Domain Names: Enter the fully qualified domain name (FQDN), such as www.twechapp.com. twech can also use wildcards (e.g., *.twtechapp.com) to protect multiple subdomains.
    2. Select Validation Method: Choose between DNS validation (recommended) or Email validation to prove domain ownership.
    3. Choose Key Algorithm: Select an encryption algorithm, typically RSA 2048 or ECDSA (P-256 or P-384).
    4. Configure Exportability: If twtech need to use the certificate outside of integrated AWS services (e.g., on a local web server), twtech must enable the export option during the initial request.
Domain Validation Methods
  • Before issuance, AWS Certificate Manager (ACM) must verify that twtwch controls the requested domains.
    • DNS Validation: twtech adds a specific CNAME record provided by ACM to its DNS configuration. 
      • If twtech use Amazon Route 53, ACM can automatically create these records for it. 
      • This method supports automatic renewal as long as the record remains in place.
    • Email Validation: ACM sends approval emails to the registered domain owner and five common system addresses (e.g., twtech671@twtechapp.com)
      • This method requires manual action for every renewal.
Pricing & Quotas
    • Public Certificates: Standard public certificates used with integrated AWS services are provided at no additional cost.
    • Exportable Certificates: Public certificates marked as exportable incur charges upon issuance: 
      • $15 per fully qualified domain name (FQDN) and $149 per wildcard name.
    • Quotas: By default, twtech can have up to:
      •  2,500 certificates per account,
      • 10 domain names per certificate (extendable to 100 via Service Quotas).
Key Constraints

    • Validity: Public certificates are valid for 13 months (395 days), with renewal attempts starting 60 days before expiration.
    • Region-Locked: Certificates must be requested in the same AWS Region as the service they will be securing :
      • e.g., US East-1 (N. Virginia) for CloudFront.

 1. Public ACM Certificate (deep dive)

    •        AWS Certificate Manager (ACM):
      •      Provisions, 
      •      Manages, 
      •      Deploys SSL/TLS certificates to secure network communications for AWS services
      •      For example: 
        •     CloudFront, 
        •     ALB, 
        •     API Gateway, etc..

·    The Two types of certificates in AWS Certificate Manager (ACM):

    • Public certificates Issued by Amazon’s public CA (Amazon Trust Services) 
      • Public certificates is trusted by browsers & clients globally.
    • Private certificates Issued by twtech ACM Private CA (PCA) inside AWS.

 2. How Public Certificates Are Requested and Validated

  • Here’s the core architecture and flow when requesting ACM public certificates.

Table for Architecture Components & Role

Component

Role

AWS Certificate Manager (ACM)

Manages request, validation, issuance, and renewal.

Amazon Trust Services (ATS)

The Certificate Authority (CA) that issues the certificate.

Route 53 or External DNS Provider

Used for DNS validation.

Requester Account

AWS account where the certificate is requested.

Target Services

AWS resources using the certificate (ALB, CloudFront, etc.).

 Request & Validation Flow (Request Initiation --> Validation Method Selection

--> Validation Ownership Check --> Certificate Issuance --> Deployment --> Automatic Renewal)

  1. Request Initiation
    • twtech requests a certificate for one or more domain names (e.g., twtechapp.com, *.twtechapp.com).
    • The request can be made via:
      • AWS Management Console
      • AWS CLI
      • AWS SDKs / APIs
      • CloudFormation
  2. Validation Method Selection
    • DNS Validation (recommended) – ACM provides a CNAME record; twtech adds it to its DNS.
    • Email Validation ACM sends verification emails to:
      • WHOIS, 
      • or 
      • twtech domain admin contacts.
  3. Validation Ownership Check
    • The CA (Amazon Trust Services) confirms that twtech controls the domain by:
      • Detecting the CNAME record in DNS, or
      • Receiving a confirmation from the validation email.
  4. Certificate Issuance
    • Once validated, ACM issues the public certificate.
    • Certificates are valid for 13 months (395 days).
    • ACM automatically renews them if validation is still in place.
  5. Deployment
    • Certificates can be attached to:
      • CloudFront distributions
      • Application/Network Load Balancers
      • API Gateway custom domains
      • Elastic Beanstalk environments
  6. Automatic Renewal
    • ACM handles renewals automatically.
    • If DNS validation is configured correctly, renewals occur without manual intervention.

 

3. Sample Architecture Diagram process:


4. Implementation via AWS CLI or CloudFormation (AWS CLI Sample)

# bash

  aws acm request-certificate \

  --domain-name twtechapp.com \

  --subject-alternative-names *.twtechapp.com \

  --validation-method DNS \

  --idempotency-token twtechtoken-123 \

  --options CertificateTransparencyLoggingPreference=ENABLED

After running the above bash shell command:

    • ACM returns an ARN for the certificate.

      • Then, twtech runs a call command to describe-certificate
      • From the description, twtech gets the CNAME record for DNS validation.

# bash

aws acm describe-certificate --certificate-arn arn:aws:acm:us-east-2:accountID:certificate/twtechcertID

NB:

  • twtech needs to add the CNAME record to Route 53 (or another DNS provider).
  • Once validated, the certificate is automatically issued.

# SampleCloudFormationRequestPublicCertStack.yaml

# RequestPublicCertStack.yaml

Resources:

  PublicCertificate:

    Type: AWS::CertificateManager::Certificate

    Properties:

      DomainName: twtechapp.com

      SubjectAlternativeNames:

        - "*.twtechapp.com"

      ValidationMethod: DNS

      DomainValidationOptions:

        - DomainName: twtechapp.com

          HostedZoneId: <twtechHzId-Z123456ABCDEF>

NB:

  • ACM automatically creates the DNS validation records in the specified Route 53 Hosted Zone.

 5. Security,Trust Model & Description

Feature

Description

CA Trust

Issued by Amazon Trust Services (trusted by all major browsers).

Key Management

Private keys are managed internally by ACM — twtech cannot export public certificates’ private keys.

Certificate Transparency (CT)

Enabled by default — all issued certs are logged to CT logs for auditing.

Renewal Security

ACM revalidates domain ownership before renewal.

Regional Behavior

ACM public certs are regional, except for CloudFront, which uses us-east-1 (N. Virginia) only.

 6. Advanced Topics (Insights)

A. Cross-Region and Cross-Account Usage

    • ACM certificates are regional.
    • To use in multiple Regions or accounts:
      • Request the cert in each Region.
      • Use AWS Certificate Manager Private Certificate Authority (PCA) or ACM exportable private certs if key sharing is required.
      • Automate issuance with AWS Lambda, AWS Step Functions, and Service Catalog for multi-account provisioning.

B. Automation with Route 53 and CloudFormation

    • Use DNS validation with Route 53 for zero-touch renewals.
    • With Infrastructure as Code (IaC), certificates can be auto-provisioned in CI/CD pipelines.

C. Integration with AWS Services

Service

Integration

ALB / NLB

Attach directly in listener configuration.

CloudFront

Must be in us-east-1.

API Gateway

Associate with custom domain name.

Elastic Beanstalk

Configure via environment options.

7. Best Practices

Category

Best Practice

Validation

Always use DNS validation for automation.

Region

Request in us-east-1 (N Virginia) if used for CloudFront.

Automation

Integrate ACM request and DNS record creation into CI/CD pipelines.

Renewal

Keep DNS validation CNAME records permanently in place.

Visibility

Monitor ACM events using CloudWatch Events / EventBridge for renewals and expirations.

Security

Do not share certs between accounts — request new certs instead.

 


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...