AWS ACM provides an API to export the public certificate via CLI.
https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html
Stackoverflow question
When certificates are renewed, the exported ones will not remain valid, and theres' no API to export the public key.
Is there a way to extract, or otherwise retrieve the public key from an ACM public certificate?
AWS ACM provides an API to export the public certificate via CLI.
Sadly this is not the case. The link is for AWS ACM Private CA which is related to AWS ACM, but its not the same:
Exports a private certificate issued by a private certificate authority (CA) for use anywhere.
In short, AWS ACM certificates can't be exported, while those from AWS ACM Private CA can. However, SSL certs from AWS ACM Private CA are not public, can't be used on the internet and are not free.
If you require to have control of a private key from your SSL cert, you need to get it from a third party, not from ACM.
I assume that you want private key, not public. Public key you can get from a browser when you connect to your website protected by SSL cert from ACM.
Related
I have an application which uses the certificate from Java key store which is physically stored on ec2 machine.I want to use the certificate from ACM directly at runtime without storing it on ec2 server.
You can't export AWS ACM certificates. From docs:
You cannot export a publicly trusted ACM certificate or its private key.
If you want to use them with your instances, you either have to front it with load balancer or CloudFront where you can deploy the ACM certs. Other options on how you can use ACM are listed here.
I don't want to use private CA and create private certificates. Is it possible to create public certificate using ACM for internal (NOT internet facing) ALB ? If yes then how can it be created ?
As per below ACM FAQ looks like it should be possible but i am not able to figure out how can it be created ?
Q: Can I use public certificates for internal Elastic Load Balancing load balancers with no public internet access?
Yes, but you can also consider using ACM Private CA to issue private certificates that ACM can renew without validation. See Managed Renewal and Deployment for details about how ACM handles renewals for public certificates that are not reachable from the Internet and private certificates.
You would have to add a Route53 private zone to your VPC that matches the domain name of the certificate, with an ALIAS record pointing at the load balancer that matches the FQDN in the SSL certificate. All connections to the internal load balancer would have to use that domain name in order for the load balancer to serve the certificate.
We are thinking of using our own Private Certificate Authority within AWS. Using the information provided here were able to create a private certificate and import it into ACM. However when we try to refer this private certificate when creating a Custom Domain in ApiGateway(via terraform) we get an error that the certificate does not exist. If we try to create the custom domain via the AWS console, the certificate doesnt show up at all.. Do certificates have any iam policy associated with them?
ACM's Private Certificate Authority is only for internal use within your company:
This service is for enterprise customers building a public key infrastructure (PKI) inside the AWS cloud and intended for private use within an organization
Certificates issued by a private CA are trusted only within your organization, not on the internet.
You can't use them on API Gateway. For that you require public certificates which you can get for free from ACM.
If your private certificate is managed by ACM, you should be able to use it on API gateway:
With ACM Private CA you can choose to delegate certificate management to ACM for certificates used with ACM-integrated services, such as Elastic Load Balancing and API Gateway.
We have a application running in Windows EC2 and we dont have any ELB or ALB for the application.
Can we use AWS private CA on this?
Please refer this URL:
https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
As per this URL, we must use Elastic load balancing/Amazon cloud Front/ AWS Elastic Beanstalk/ Amazon API Gateway AWS CloudFormation services to integrate AWS certificate manager. We are not using any of these services in our application.
Thanks,
Subhadeep
ACM Private CA certificates can be used with any platform, inside or outside of AWS, but this service creates a private certificate authority -- for use in a private infrastructure, like a corporate network.
This is not something used for public web sites.
A private CA handles the issuance, validation and revocation of private certificates within a private network (i.e. not the public internet).
https://aws.amazon.com/certificate-manager/faqs/#acm-private-ca
We have a RESTful webservices application running on AWS EC2 instance.We have a requirement for calling a third party api,which needs JWT token signed with CA certificate to trust our api call.We have created CA certificate using Amazon certificate manager and imported it in Amazon ELB containing the ec2 instance. How can we access the private key of the certificate from our application for signing the JWT token?
You cannot access the private key for the certificates stored in ACM. You will need to acquire a CA certificate for signing the JWT. Then install the certificate on your EC2 instance so that the signing code can access it.