Looking to use a custom certificate for in-transit encryption between the EMR nodes. Since I'm not using DHCP option set with own domain, the EMR instances will have their private DNS of the type *.us-west-1.compute.internal
Is it worth issuing a certificate (corp CA) to cover *.us-west-1.compute.internal and use that certificate for encryption? Would this certificate provide better security comparing to a self-signed certificate with the same CN?
Related
I have an application which uses the certificate from Java key store which is physically stored on ec2 machine.I want to use the certificate from ACM directly at runtime without storing it on ec2 server.
You can't export AWS ACM certificates. From docs:
You cannot export a publicly trusted ACM certificate or its private key.
If you want to use them with your instances, you either have to front it with load balancer or CloudFront where you can deploy the ACM certs. Other options on how you can use ACM are listed here.
AWS ELB supports to have multiple certificates and I can add multiple certificates (both Amazon Issued and some certificates signed by Private CA in AWS).
I have some self signed private certificates which I have successfully imported and would like to use them with my ELB but the certificate list does not show these imported certificates. I can see these certificates under ACM (Amazon Certificate Manager). The certificates are imported in same region I have my ELB.
I don't know why it does not appear for ELB list.
If the certificate you loaded into ACM does not meet the security requirements for the ELB it will not show up in the drop down to be applied. Check the security settings on the certificate and the requirements of the ELB and adjust as needed.
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html
Note: You can upload your certificate to IAM and use it from there but this is not recommended.
aws iam upload-server-certificate --server-certificate-name mycert --certificate-body file://public.pem --private-key file://private.pem
We are using Cloudflare, which points to an AWS load balancer in front of an EC2 instance. The goal here is to have end-to-end encryption but I am trying to understand which parts of this setup actually require a certificate from a Certificate Authority, and whether or not we can use a complete set of free certificates between Cloudflare and AWS.
Cloudflare - We can use their free Universal SSL certificate to secure the traffic from Cloudflare to the load balancer.
AWS Load Balancer - We can use a free AWS certificate which is attached to the load balancer. This same certificate cannot be installed on the EC2 instance.
EC2 Instance - Can we use a self-signed certificate here, or do we need to continue purchasing certificates from a recognised authority? My understanding here is that, yes, we can just use a self-signed certificate and everything will be secure without raising any warnings about the self-signed nature of the certificate, as long as the load balancer has a valid CA certificate from Amazon or other authority.
Cloudflare is set to Full SSL mode which does not validate the origin certificate and will allow it to be self-signed, but I assume this only applies to the load balancer in our case.
You can use whichever SSL you want on the instance, self signed or from a certificate authority.
By doing this the data will be encrypted in transit between your load balancer and the EC2 instance.
It is only the AWS services that require either an ACM cert or an uploaded cert from a valid certificate authority.
Ensure that your servers are kept private if you're using self signed certificates.
I just want to know, ACM provides renewed SSL certificate to CloudFront or Elastic load balancer. Further, CloudFront delivers the renewed SSL certificate to client on request from client or just push the updated SSL certificate for established session.
Please reply.
Thanks,
John
From the AWS Documentation
ACM provides managed renewal for your Amazon-issued SSL/TLS
certificates. This means that ACM tries to renew the certificates
before they expire. If possible, ACM renews your certificates
automatically with no action required from you.
Note
Automatic renewal is not available for either imported certificates or
for certificates associated with Route 53 private hosted zones. You
must renew these manually. For more information, see How Manual Domain
Validation Works .
Note
When ACM renews a certificate, the certificate's Amazon Resource Name
(ARN) remains the same. Also, ACM Certificates are regional resources.
If you have certificates for the same domain name in multiple AWS
Regions, ACM renews each of these certificates independently.
Important
Your ACM Certificate must be actively associated with a supported AWS
service before it can be automatically renewed. For information about
the resources that ACM supports, see Services Integrated with AWS
Certificate Manager.
We have a RESTful webservices application running on AWS EC2 instance.We have a requirement for calling a third party api,which needs JWT token signed with CA certificate to trust our api call.We have created CA certificate using Amazon certificate manager and imported it in Amazon ELB containing the ec2 instance. How can we access the private key of the certificate from our application for signing the JWT token?
You cannot access the private key for the certificates stored in ACM. You will need to acquire a CA certificate for signing the JWT. Then install the certificate on your EC2 instance so that the signing code can access it.