AWS Certificate Manager

Amazon Web Services (AWS) recently announced the launch of exportable public certificates through AWS Certificate Manager (ACM), empowering customers to secure any workload, inside or outside of AWS, with ease. This new capability allows organizations to issue public Transport Layer Security (TLS) certificates and access the associated private keys, enabling secure TLS termination across a broad range of environments, including Amazon EC2 instances, containers, and on-premises hosts.

Previously, ACM-issued public certificates were restricted to integrated AWS services such as Amazon CloudFront. With the new exportable option, customers can now mark certificates for use beyond AWS-integrated services during the request process. Once domain validation is complete, certificates can be procured within seconds, providing fast, secure, and affordable access to public certificates for AWS, hybrid, or multicloud workloads.

AWS Certificate Manager introduces exportable public certificates for use across any workload

Exportable public certificates from ACM are valid for 395 days and are priced at $15 per fully qualified domain name (FQDN) and $149 per wildcard name. Customers benefit from simple, one-time pricing with no bulk issuance contracts required. Additionally, administrators can monitor and automate certificate usage through ACM’s lifecycle CloudWatch events.

AWS places security at the forefront of all services. To maintain high standards, export functionality is limited to newly issued certificates; existing public certificates remain non-exportable. Administrators can enforce granular permissions through IAM policies, specifying which roles and users are authorized to request exportable certificates.

The new feature is now available in all AWS regions, including AWS GovCloud (US) and China Regions.

Key benefits of ACM exportable public certificates:

• Centralized Management: Simplify certificate management across all environments through ACM.
• Fast Issuance: Obtain certificates rapidly after domain validation.
• Automated Renewals: Benefit from automatic renewals, with notifications provided via Amazon EventBridge.
• Cost-Effective Pricing: Pay only for certificates created, with no ongoing contracts.
• Flexible Deployment: Deploy certificates on any server or application supporting standard SSL/TLS.
   

How it works:

1. Request an exportable certificate through ACM for the chosen domain.
2. Validate domain ownership via DNS or email.
3. Export the certificate, private key, and certificate chain.
4. Deploy to the desired server or application.
5. Allow ACM to manage renewals and receive automated notifications when renewed certificates are ready.
    

Security best practices:

AWS advises customers to implement secure storage and access controls for exported private keys, use ACM’s revocation features if compromise is suspected, and follow key rotation procedures when deploying renewed certificates. The exportable certificate feature is available across all supported AWS regions. Additional charges apply for exportable public SSL/TLS certificates.