I'm trying to import the certificate of domain from AWS certificate manager (ACM) on one account to another ... How can I do that ?
You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account. For more information, see ACM private key security.
You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. You can then use these certificates with services that run on AWS Certificate Manager.
useful link: https://aws.amazon.com/premiumsupport/knowledge-center/acm-export-certificate/
Related
I made an application in an AWS region different than us-east-1. I already applied for and received an SSL certificate for a custom domain, and it is stored as ACM Certificate in a region differenet than us-east-1.
To my surprise, when I tried to use this certificate on CloudFront, I was met with this:
"Associate a certificate from AWS Certificate Manager. The certificate must be in the US East (N. Virginia) Region (us-east-1)."
A quick search informed me that:
"You can't export an ACM certificate from one AWS Region to another or from one AWS account to another. This is because the default AWS Key Management Service (AWS KMS) key used to encrypt the private key of the certificate is unique for each AWS Region and AWS account.
Resolution: You can create multiple ACM certificates with the same domain name across different AWS Regions and accounts. "
How do I solve this, can I just request a new ACM certificate for a new region (ie. us-east-1)? Will this impact my certificate that is already in use for the original region?
Yes, you need to provision the same certificate (for a given domain) in US-EAST-1 region and use it for your global CloudFront distribution. Your regional certificate (outside the global region) will not be impacted. Usually, regional certificates are attached to your ALB and Cloudfront distribution utilizes a certificate from North Virginia region (global region).
I have an application which uses the certificate from Java key store which is physically stored on ec2 machine.I want to use the certificate from ACM directly at runtime without storing it on ec2 server.
You can't export AWS ACM certificates. From docs:
You cannot export a publicly trusted ACM certificate or its private key.
If you want to use them with your instances, you either have to front it with load balancer or CloudFront where you can deploy the ACM certs. Other options on how you can use ACM are listed here.
We are thinking of using our own Private Certificate Authority within AWS. Using the information provided here were able to create a private certificate and import it into ACM. However when we try to refer this private certificate when creating a Custom Domain in ApiGateway(via terraform) we get an error that the certificate does not exist. If we try to create the custom domain via the AWS console, the certificate doesnt show up at all.. Do certificates have any iam policy associated with them?
ACM's Private Certificate Authority is only for internal use within your company:
This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization
Certificates issued by a private CA are trusted only within your organization, not on the internet.
You can't use them on API Gateway. For that you require public certificates which you can get for free from ACM.
If your private certificate is managed by ACM, you should be able to use it on API gateway:
With ACM Private CA you can choose to delegate certificate management to ACM for certificates used with ACM-integrated services, such as Elastic Load Balancing and API Gateway.
I am working in a govcloud account for client work and CANNOT use us-east-1 as it does not exist in govcloud.
In the API Gateway console -> Custom Domain Names page the following text appears:
"To use an ACM certificate with API Gateway, you must request or import the certificate in the US East (N. Virginia) region."
How would I go about importing or creating a cert in ACM in us-east-1 as govcloud does not interact with that region?
How can I configure / script a custom domain name with api gateway in govcloud?
Actually that message only applies to 'Edge Optimized' APIs which are not available in govcloud anyway. You can use a govcloud ACM cert with a Regional endpoint type.
We have a RESTful webservices application running on AWS EC2 instance.We have a requirement for calling a third party api,which needs JWT token signed with CA certificate to trust our api call.We have created CA certificate using Amazon certificate manager and imported it in Amazon ELB containing the ec2 instance. How can we access the private key of the certificate from our application for signing the JWT token?
You cannot access the private key for the certificates stored in ACM. You will need to acquire a CA certificate for signing the JWT. Then install the certificate on your EC2 instance so that the signing code can access it.