One of the things that confused me when I first started using certificates on AWS was how they could be used with EC2 machines. But, it is not possible to use ACM certificates with EC2 directly because you cannot export certificates from ACM. After all, the service manages the private key. So when a public certificate is created, ACM essentially creates a KMS key which it operates and associates with ACM by setting its alias to
aws/acm. This process is described in detail in the documentation just here.
Suppose you want to use an ACM certificate with an EC2 instance. You can associate the certificate with an Elastic Load Balancer (ELB) or CloudFront distribution in front of your EC2 instances. This allows you to secure traffic to your EC2 instances using SSL/TLS.
After understanding this, I was further confused by people saying that I could use the Private CA feature of ACM to provide certificates to EC2 instances; at this time, I had only ever used Private CAs to be associated with ACM, so I assumed we couldn’t use these CAs with EC2. That assumption was incorrect. The process to do this is as follows:
- Create an AWS Private CA in the AWS Certificate Manager (ACM) Private CA section.
- Create a certificate signing request (CSR) on the EC2 instance where the certificate will be used.
- Use the CSR to request a certificate from the AWS Private CA in the ACM Private CA service.
- Once the certificate is issued, download and install it on the EC2 instance where it will be used.
- Configure your EC2 instance to use the newly-installed certificate.
Always remember that if you do this, you should ensure that your certificates are valid. Also, take care of rotation; they will not be automatically rotated with you configuring that yourself. A good way of achieving this using managed services would be, for example, by using AWS SSM to install these certificates.
Configuration of certificate deployment is dependent on the technology you use; for an apache web server on Amazon Linux for example, you would need to ensure mod_ssl is installed, and then the certificates and private key, and chain are deployed to the appropriate locations for that software.