The new AWS Certificate Manager is a free tool that provides full SSL certificates for Elastic Load Balancing and AWS CloudFront. The service features automatic integration with AWS cloud services and will automatically renew an AWS SSL certificate -- without requiring administrators to take any action. This could be a huge improvement over traditional SSL generation methods or automated tools, such as LetsEncrypt.org.
SSL certificates provide a way to prove that end users are who they say they are; these certificates do not verify that a website is legitimate or isn't spam, but they do prevent man-in-the-middle attacks. A trusted source ensures that the server that is responding owns the domain. A business generates an encryption key and then verifies it owns the domain. Next, a trusted authority -- a Certificate Authority (CA) -- signs the encryption key stating verification. The CA verifies that your encryption key is valid for a certain period of time, and for a certain "Common Name," which is the domain you verified.
Traditional SSL encryption methods
Traditional SSL providers, such as GoDaddy and RSA, provide companies with an SSL certificate, typically for one year, and at a high cost. A typical wildcard SSL certificate, which must be renewed every year, can cost almost $300. For a single domain, companies will pay more than $60 per year for this certificate.
And managing an SSL certificate such as this takes some work. For instance, if you forget to renew your certificate, you're in trouble, because every user who comes to your site will hit a warning and probably bail out immediately. Every modern Web browser will stop a user from accessing a site with an expired SSL certificate, and your site effectively becomes blocked. The renewal process isn't simple, and you'll have to spend a few hours just to get the new certificate and upload it.
Newer SSL encryption tools
SSL methods are advancing. At the end of 2015, LetsEncrypt.org became a free alternative to buying SSL certificates from traditional hosting providers like GoDaddy. The organization was able to offer these free certificates because it has its own trusted CA and the process is automated. LetsEncrypt.org uses a completely automated system to let domain name owners request an SSL certificate; the organization validates that the company owns that domain by hitting a URL and having the server return a challenge response.
However, LetsEncrypt.org is still very much in early beta, and does not support wildcard SSL certificates. The tool has an automated process that allows the renewal of certificates, but it requires development effort to implement; SSL certificates only last three months.
AWS Certificate Manager
AWS Certificate Manager takes some of the ideas of older SSL certificate methods and adds a bit more. Like LetsEncrypt.org, AWS Certificate Manager is free. However, the AWS SSL certificate tool validates that a company owns a domain by emailing a few common email addresses for a domain, including:
It will also email the "Registrant Email" that shows up in the "whois" record when a company registers its domain. This is probably controlled by the registrar and not the admin -- so it's best to monitor one of the admin email accounts on the domain.
All an admin needs to do is receive one of those email addresses and click a link in the email. Because of this, AWS also supports wildcard certificates. For example, if the domain is "aci.info," and you want to protect "*.aci.info" -- and all subdomains under aci.info -- an admin must be able to respond to an email from "[email protected]" or from one of the other email addresses in the list.
The downside of AWS Certificate Manager is that a company can only use the AWS SSL certificate on Elastic Load Balancing or AWS CloudFront. It doesn't work directly on an application, and you can't use it outside of AWS.
How to deploy a secure CloudFront distribution
AWS EBS encryption takes a step forward
Understanding S3 encryption key options