Managing Certificates with AWS Certificate Manager


The Basics


About Me


“The average global 5,000 company spends about $15 million to recover from the loss of business due to a certificate outage -- and faces another $25 million in potential compliance impact.”

Course Modules

  • SSL Certificates and the AWS Ecosystem
  • Introduction to the AWS Certificate Manager
  • Implementing Certificates
  • Operations and Troubleshooting

Scenario: Animal Rescue Nonprofit

scenario animal rescue nonprofit for aws

Proposed Infrastructure

proposed infrastructure for aws

SSL Certificate FAQ

ssl ceruficate faq for aws

Common AWS Offerings That
Support SSL

common aws offerings that support ssl for aws

Certificate Ownership

  • Customer
  • Flexibility
  • Third party software support
  • Cost of Renewal
  • AWS
  • Low/no operational overhead
  • AWS service integration
  • No renewal charge

What We Will Learn:

  • What is AWS Certificate Manager?
  • Which services does it support?
  • How can we use it?
  • Follow along with our animal rescue nonprofit as we secure their site!

Introduction to the AWS Certificate Manager

Module Overview

  • Benefits of managed SSL certificates
  • Workflows
  • Integrated services
  • Demo: Creating a Certificate

Benefits of AWS Managed SSL Certificates

benefits of aws managed ssl certificates for aws

Business Impact for

  • No cost for certificate procurement
  • No cost for certificate renewal
  • No operational overhead
  • Very quick turnaround

Workflow: Requesting a Certificate

workflow: requesting a certificate of aws

Workflow: Requesting a Certificate

workflow: requesting a certificate of aws

Workflow: Managing Certificates

workflow: managing certificates for aws

Workflow: Deploying Certificates

Handled in the individual services

Which services itegrate with ACM?

Services Integrated with ACM

services integrated with acm for aws

ACM Limitations

  • No access to SSL certificates
    • Cannot download
  • No choice on key size
  • No third-party integration
  • Create a new certificate using ACM
    • Using our nonprofit animal rescue


  • Managed service for SSL certificates reduces operational overhead
  • Tradeoff: convenience vs. flexibility
  • Next Up: Implementing Certificates

Implementing Certificates

Module Overview

  • Recap of proposed architecture
  • Comparison of ELB and Cloud Front
  • Demo: add certificate to ELB
  • Demo: add certificate to CloudFront

Proposed Infrastructure

aws of proposed infrastructure

Comparison of Services

  • ELB
  • Region scope
  • Integrates with EC2, autoscaling
  • No caching
  • Custom listener ports
  • Single Origin - EC2 instances
  • CloudFront
  • Global scope
  • Integrates with WAF
  • Caching capability
  • No custom listener ports
  • Multiple origins - DNS endpoints

Why Choose SSL on ELB?

  • Direct integration with EC2 web server
  • Ramp-up with autoscaling
  • Keep services geographically close

Why Choose SSL on Cloud Front?

  • Cost effective global reach
  • Cache static assets via multiple origins
  • DDoS protection
  • Add certificate to ELB
    • Assuming pre-existing ELB in place
    • Assuming no existing SSL termination
  • Add certificate to CloudFront
    • Assuming pre-existing CF distribution


  • ACM is simple!
  • Benefits for both ELB and Cloud Front
    • Use them together!
  • Next Up: Operations and Troubleshooting

Operations and Troubleshooting

Module Overview

  • Operations: all AWS, all the time
  • Troubleshooting FAQ
  • Course recap

Operations: Shared Responsibility

  • AWS
  • Certificate provisioning
  • Certificate renewal/reissue
  • Certificate rotation
  • Service integration
  • Not AWS responsibility
  • Wolf Creek Dog Rescue
  • Nope
  • Nothing
  • Nada
  • Still nope
  • Associate cert with AWS service

Behind the Scenes: Service Integration with ELB

behind the scenes: service integration with elb for aws

Troubleshooting 1/4

 Why didn’t I receive the approval request email?
 Check spam folder
 Registrar Privacy Protection enabled?

Troubleshooting 2/4

 Why isn’t my ssl certificate being used for cipher XXX?
 Verify that cipher is enabled in the ELB or CloudFront

Troubleshooting 3/4

 Why is my page showing an SSL warning for site name
 Wildcard cert for * isn’t valid

Troubleshooting 4/4

 Why did my certificate request fail?
 Blacklisted domain
 Invalid public domain
 AWS-owned domain

Module Summary

  • Operations: AWS does all the work
  • Troubleshooting: check the AWS docs

Course Wrap Up

  • ACM: easy to use
  • ACM: only 2 integration points
  • WCDR: no effort spent learning a new service!
  • WCDR: low cost solution
  • WCDR: focus on core competency!


aws questions

Thanks for You!