Working with AWS Certificate Manager Public Certificates
Start course
3h 55m

This section of the AWS Certified Solutions Architect - Professional learning path introduces you to the core networking concepts and services relevant to the SAP-C02 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking, DNS, and content delivery services to meet specific design scenarios relevant to the AWS Certified Solutions Architect - Professional exam. 

Want more? Try a Lab Playground or do a Lab Challenge

Learning Objectives

  • Get a foundational understanding of VPCs, their security, and connectivity
  • Learn about VPC sharing using the AWS Resource Access Manager
  • Discover inter-regional and intra-regional communication patterns in AWS
  • Learn about AWS Direct Connect, along with its implementation, configuration, and connectivity options
  • Understand routing in AWS, including static and dynamic routing
  • Understand the basics of networking, including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
  • Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront

In this lesson, we will discuss the process of requesting a public certificate from AWS Certificate Manager. AWS Certificate Manager is a regional service. This means that if you want to request a public certificate for use with an ELB in the EU West 2, then you must use AWS Certificate Manager in EU West 2. Interestingly, if you need a digital certificate for use with CloudFront, you need to use AWS Certificate Manager in North Virginia, US East 1. Here you can see the AWS Certificate Manager console in the Ireland region. 

To start your certificate request, you select request certificate. If you choose request certificate, you'll be asked if you want to request a public certificate or a private certificate. Notice here that the request private certificate option is grayed out. That is because a private certificate authority has not been created yet. When you request a public certificate from AWS Certificate Manager, you need to provide the following information. The fully qualified domain name or names for the sites you wish to protect with your digital certificate, for example, and the validation method, either DNS validation or email validation.

Before AWS Certificate Manager can issue a public certificate, you must prove that you own or control all the domain names that you've listed in your request. When using DNS validation, a CNAME record needs to be added to each domain listed in your certificate request. By adding the appropriate CNAME record, you are proving you have control of the DNS domain. If you are using Route53 and have the appropriate permissions, then AWS Certificate Manager can add the appropriate CNAME records for you. 

If you are using a third-party DNS service, you must add the CNAME record yourself. If you choose email validation, emails will be sent to the registered contacts on the who is database. This will include the domain registrant, the technical contact, and the administrative contact. The information about these contacts would have been provided when the domain was purchased. Multiple emails will be sent. In order to validate the domain, you must respond to one of these emails within 72 hours.

Once validated, the new public certificate will be issued and you can then use it to secure your AWS services. In this demonstration, we will request a public certificate from AWS Certificate Manager and use it to add a secure listener to an application load balancer. I'm here in the EC2 dashboard. I've installed and selected an application load balancer. If I select the listeners' tab, we can see this load balancer has a single listener listening out on HTTP port 80. I want this load balancer to use a secure listener and that means request a digital certificate from AWS Certificate Manager. So, let's switch to the AWS Certificate Manager dashboard. I'm in the AWS Certificate Manager dashboard for the Ireland region. Remember, Certificate Manager is a regional service. Let's select 'Request a certificate'. Notice here, my only option is to request a public certificate; that's because I've yet to install a private certificate authority.

So, we request public certificate selected, I click 'Next'. I then provide the fully qualified domain names that I wish to include in my certificate request and I'm going to use this certificate to secure. We then choose a validation method, either email validation or DNS validation. I will leave DNS validation selected, and select request. We can see that the certificate has been successfully requested and is pending validation. If I select the certificate, here we can see the CNAME information that we would add to our DNS zone in order to validate the certificate. 

Notice that if this domain is hosted in Route53, we can select create records in Route53 and as long as the user account we're logged in with has the appropriate permissions, the CNAME records will be automatically created for us. Back in the Certificate Manager dashboard, now that our DNS entries have been added and the certificate has been validated, we see the status is set to issued. Now let's go back to our load balancer and use this certificate to create a secure listener.

With the load balancer selected, I select the listener's tab and then select add listener. We choose the appropriate protocol and port combination and then select the add action dropdown. In this example, I want all https port 44 free traffic to be forwarded to a target group. So, I select forward and then from the target group dropdown, I select my target group. If I then scroll down a little bit, we can see the certificate section. And in the select the certificate dropdown, I can choose my certificate. All we have to do now is select add and then view listeners. So, here we can see we have now both HTTP and HTTPS listener. If required, you can remove the HTTP listener to enforce the use of HTTPS.


About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.