AS Cloud Docs

Certificates

Amazon provides X.509 certificates, most commonly used for HTTPS, through the AWS Certificate Manageropen in new window (ACM). Any certificates issued by Amazon will be short-lived auto-renewed certificates, eliminating the need for a bunch of manual configuration & webserver restarts.

You should always request certificates from Amazon through ACM for cloud applications. The ADOES-CSI group does not recommend or support importing certificates issued by other CAs.

Amazon will only issue Domain Verified (DV) certificates. Issuing & renewing Extended Validation (EV) certificates cannot be automated, and no longer offers any benefitopen in new window over DV certs.

You may request a SAN certificateopen in new window that covers several domains; this is useful for a single ALB listener that covers multiple environments.

CloudFront Gotcha

Any certificate that will be used by CloudFront or an edge-optimized API gateway (which is using CloudFrontopen in new window) must be created in the us-east-1 region.

Your app can exist in us-east-2, but CloudFront is a global service and it replicates all of its data from us-east-1.

Usage

When you request a certificate for one (or more) hostnames, you must demonstrate to AWS that you control the hostname(s). It is improper for a Certificate Authority to issue certificates to us for domains we do not control, so Amazon has a request -> prove -> issue process.

Gotcha

Until the process is completed, ACM will not issue a certificate. Attempting to use the unvalidated request's ARN on another resource, such as CloudFront, will fail.

This creates an awkward situation where running terraform apply may partially create your IaC module. When it gets to using the certificate, it will fail, because you must complete the validation process.

Once issued, re-run your terraform apply and it should sort itself out.

Certificate requests should be made as IaC with terraformopen in new window, or with the vapor certificate <hostname> command, if using Vapor.

At a high level, the process is as follows:

entapp

The entapp.northwestern.edu zone is managed by the ADOES-CSI team.

We offer an entapp certificate module, and can offer expedited processing on DNS requests for this zone.

The request will be visible in the ACM console, at the 'Pending Validation' status. Amazon will ask you to create a subdomain for each domain you've requested a certificate for. Being able to create a subdomain on the requested domain(s) proves that you control that domain.

ACM certificate request

Fill out the Request DNS/DHCP Add formopen in new window in TeamDynamix:

  • What would you like to add? is CNAME to Existing Domain
  • New CNAME is the Name value shown in the record.
  • Target Domain Name is the Value shown in the record.

If there are multiple hostnames, submit the form once for each record.

The ticket will be assigned to the SOC. They typically process these in a few hours. If you need to expedite the process, provide the ticket number in the 24x7 SOC channel and ask.

The CNAME record(s) must be completed within 72 hours or Amazon will abandon the certificate request. If that happens, you will need to delete the request and start over.

The DNS records created are only for establishing ownership of the domain and issuing the certificates. These records will not set up DNS for as-ado-test.northwestern.edu; you will need to make a separate request for that.

These records must remain in DNS for the lifetime of the certificate. AWS re-checks them when it comes time to renew the certificate. If the record is deleted, or the certificate is not being used by any AWS service, it will be marked as ineligible for renewal and eventually be deleted from ACM.

Troubleshooting

ACM may take a few minutes to notice the CNAME was created. You may need to wait up to 30 minutes for this to complete -- but typically, it's very quick.

If the validation is failing, attempt to resolve the hostname. It should be _some-big-string.your-actual-host.northwestern.edu. Verify that you & the SOC did not accidentally truncate the leading underscore from the New CNAME or Target Domain Name values.

$ host _122e7448731887fe8afcad890e3b13fd.loan-applications-prod-aws.northwestern.edu

_122e7448731887fe8afcad890e3b13fd.loan-applications-prod-aws.northwestern.edu is an alias for _226dff081df9a62fd42ea1b431acf9a2.sdgjtdhdhz.acm-validations.aws.