Free Amazon SSL certificates' value is a matter of trust

Whether the new AWS Certificate Manager service will work for you depends on how much you trust Amazon in general, experts say.

The new AWS Certificate Manager can provide SSL certificates for free, a boon to shops that trust certificates...

signed by Amazon.

Secure Socket Layer (SSL) / Transport Layer Security (TLS) create an encrypted link between a server and a client, most often between a Web server and a browser. SSL certificates are small data files that bind a cryptographic key to an organization's details. These certificates are issued by a certificate authority, most notably VeriSign. Web hosting companies such as GoDaddy offer third-party certificates -- for a fee. In GoDaddy's case, that fee starts at $69.99 per certificate per year.

But now, Amazon has established a certificate authority called Amazon Trust Services that will issue Amazon-signed SSL certificates for free.

The news -- particularly the price -- quickly grabbed AWS customers' attention.

"It's a low level…activity that, if AWS is offering to manage it and make the certs available for free, that seems really interesting," said Greg Arnette, CTO for Sonian, Inc., an email archiving cloud service provider located in Dedham, Mass.

Right now it is an employee's responsibility -- and one they spend a significant amount of time on -- to make sure SSL certificates don't expire, Arnette said, estimating that SSL certificates cost his company on the order of thousands of dollars per year.

Having SSL certificates' expiration managed by Amazon "would free up someone's time to be used on more value-add activities," Arnette said.

"I think it's about time," Arnette added. "Everyone who wants to be SSL-encrypted has had to pay a tax on that."

Other AWS users echoed Arnette's interest, saying the price is definitely right.

"This is functionality that we need in our business because proper security for our customers is very important, and this removes the cost barrier that has historically forced cost-sensitive customers not to use SSL with our offering," said Dale Hopkins, chief architect at Vendasta Technologies in Saskatoon, Sask., which builds sales and marketing software for media companies.

It's a pretty clear advantage for any software as a service customer who uses a lot of domains with their offerings and wants to provide SSL security, Hopkins said.

But with Amazon the certificate signing authority in this case, whether users will adopt AWS Certificate Manager depends on their level of trust in Amazon, according to Edward Haletky, CEO of the Virtualization Practice LLC in Austin, Texas. 

"If you're going to be trusting Amazon, then you're going to be trusting Amazon -- you're already trusting them to host your workloads," Haletky said.

Certificates provided by ACM are issued from Amazon's certificate authority, which is owned by Amazon Trust Services LLC. The Amazon certificate authority is a public certificate authority, such as GoDaddy, Symantec/Verisign, and Comodo -- and features public documentation and WebTrust audit statements.

Prior to this launch, and still available, customers who choose to use certificates from other certificate authorities can upload them to AWS and associate them with their load balancers or Amazon CloudFront distributions.

Still, some customers may be hesitant to get on board with AWS Certificate Manager, according to cloud consultants.

"Many of our clients compete with Amazon on a retail front and are not comfortable with certain items [such as] encryption keys [and] DNS being hosted at a competitor," said Kris Bliesner, CTO and co-founder of 2nd Watch, a managed public cloud provider and AWS partner. 

One such customer is FlightStats Inc., a global data service company in the aviation space, located in Portland, Ore.

"We won't tie our certs to AWS since we want to maintain control of the certs themselves, and we have a need to support hybrid cloud, which this doesn't support," said Alex Witherspoon, vice president of platform engineering for FlightStats. "I see this as a huge win for the SMB or any homogenous AWS user, because cert administration is often a technical burden that smaller outfits don't need or really want to absorb."

Other cloud consultants have seen a movement towards using Amazon for root DNS and say SSL certificates are a natural next step.

Adding in the SSL just makes for a better complement to that, said Adam Book, principal engineer and senior cloud architect for Relus Technologies, a cloud consulting firm. 

AWS Certificate Manager is currently supported in the US-East region only, and with the Elastic Load Balancing and CloudFront services. A company blog post said support for more services is forthcoming.

"It would be very cool if this could also be used for standard LAMP-based AMIs," Haletky said. "However, this is a very nice first step."

AWS Certificate Manager certificates are supported by any browser, application, or OS that includes the Starfield Services Root Certificate Authority - G2, or the Starfield Class 2 Root Certificate Authority.

Beth Pariseau is senior news writer for SearchAWS. Write to her at [email protected] or follow @PariseauTT on Twitter.  

Dig Deeper on AWS support, licensing and SLAs