Course info
Sep 1, 2016

SSL certificate management should take very little or no effort from an operations perspective. This course, Managing Certificates with AWS Certificate Manager, will help you get up and running. First, you'll get a review of SSL certificates and where they are applied in application infrastructure. Next, you'll see the ACM service and the workflows and limitations relevant to it, as well as some of the intricacies inherent in implementing certificates. Finally, you will go over the operational responsibilities of customers and AWS for ACM, including a diagram of the service integration between ACM and other services and examples of troubleshooting. When you are finished with this course, you'll understand how to create and use certificates in the AWS ecosystem.

About the author
About the author

Chad is an AWS Architect and certified AWS trainer. He has 20+ years background with Unix, networking, and corporate IT from small business to enterprise environments.

More from the author
Monitoring with AWS CloudTrail
Sep 27, 2017
Implementing Amazon Inspector
Mar 29, 2017
Mastering AWS Command-line Interface Operations
1h 49m
Jan 10, 2017
More courses by Chad Smith
Section Introduction Transcripts
Section Introduction Transcripts

SSL Certificates and the AWS Ecosystem
Hi. I'm Chad Smith, and welcome to Managing Certificates with AWS Certificate Manager. Let's talk about SSL certificates. All kinds of companies have to deal with these as a necessity for securing their data in transit. Some companies sign their own certificates, but most rely on third-party certificate authorities. All of these organizations have to deal with certificate renewal as an operational overhead. With operational overhead comes the occasional mistake. These mistakes cost money, and sometimes can cause major outages. As you can read in the quote, these outages have a measurable impact on revenue, as well as time spent, and of course, a PR hit. In this course, we'll discuss how SSL certificates fit into the AWS ecosystem, I'll introduce the AWS Certificate Manager Service, and then I'll walk through an example domain, and the workflow of certificate creation. We'll finish up by assigning the new certificate to both a CloudFront distribution and an elastic load balancer, and cover some troubleshooting tips.

Introduction to the AWS Certificate Manager
The AWS Certificate Manager, or ACM, was introduced in January of 2016 as a means of automating and simplifying the process of provisioning and deploying SSL certificates to websites. In this module, we'll discuss why you might choose to use ACM, including the benefits of managed SSL certificates, the workflows that are part of the ACM service, which services integrate with ACM, and we'll finish with a demo where we will create a new SSL certificate using our animal rescue aided U. S. account. When a company manages their own SSL certificates, there are certain operations and periodic maintenance that are required. Certificates must be renewed regularly, which includes a manual cut-over. These new certificates usually take some period of hours or days to be provisioned, which can delay the renewal process. By switching to ACM, all of these are handled by AWS. How does this impact Wolf Creek Dog Rescue? Well, there's no initial cost to purchase the SSL certificate the first time, there's no recurring cost for certificate renewal, there's no operational overhead that would require time spent on tasks not essential to the rescue's core mission, and for any effort involving ACM, there is a very quick turnaround yielding near immediate results.

Implementing Certificates
Now that we've covered the AWS Certificate Manager in terms of functionality and limitations, it's time to use this service to help our animal rescue secure their website. We will start with a recap of the Wolf Creek Dog Rescue architecture, then a comparison of the elastic load balancer versus CloudFront, and why our rescue might choose one over the other. The rest of this module will be two demos, where we will secure the website by implementing ACM certificates on both an ELB and a CloudFront distribution. Our proposed infrastructure includes four services. If we look from the outside in, we start with the services that have a global scope, Route 53 for DNS, and CloudFront for our content delivery. Moving inward, we reach the service with the region scope, the elastic load balancer. Finally, we have the AZ scoped service, which is the EC2 instance that hosts the web server software.

Operations and Troubleshooting
In our previous modules, we followed our animal rescue site as they implemented SSL at both the ELB and the CloudFront layers of their infrastructure. It's time to wrap up our course with a short discussion on operations and troubleshooting. We'll recap the customer versus AWS responsibilities for the operational aspects of ACM, then cover some troubleshooting questions and answers, and finish up with some take-home messages about ACM. AWS has a pretty consistent model for fully-managed services, in terms of the operational responsibility, and ACM is no different. Let's see what Wolf Creek Dog Rescue will have to manage on their end. Certificate provisioning? No. Certificate renewals and reissues? No. How about certificate rotation? No. Okay fine, what about integration with other AWS offerings? Still no. Aha! The customer is responsible for associating a created certificate with an elastic load balancer or CloudFront distribution, which makes sense from a shared responsibility security model as well.