TLS and Certificates on AWS
TLS (often still called SSL) encrypts data in transit and proves server identity via X.509 certificates. On AWS, AWS Certificate Manager (ACM) is the default way to issue and deploy public certificates for many services.
This page is a hub for lifecycle, attachment points, and rotation — with pointers to CloudFront, API Gateway, Azure security (Key Vault), and Kubernetes operators (cert-manager).
For HTTP semantics and TLS termination patterns, see HTTP for Operators.
Certificate Lifecycle (Operator View)
Section titled “Certificate Lifecycle (Operator View)”| Phase | What you do |
|---|---|
| Request | Ask ACM (or import) for a cert for names (CN/SAN), e.g. api.example.com, *.example.com. |
| Validate | Prove domain control — DNS validation (recommended) or email. |
| Deploy | Associate the ACM cert ARN with ALB/NLB, CloudFront, API Gateway, etc. |
| Monitor | Expiry (ACM renews managed public certs automatically when validated); alarms on hand-imported certs. |
| Rotate | ACM handles renewal for issued certs; imported certs need your own process. |
Private keys for ACM-integrated certs stay in ACM; you do not extract them to disk on EC2 (use ACM on EC2 integrations or nginx with IAM-based patterns only where supported — often you terminate TLS at the load balancer instead).
ACM Public Certificates
Section titled “ACM Public Certificates”- Free for use with integrated AWS services.
- Auto-renewal if DNS validation remains valid.
- Regional — an ACM cert in
us-east-1is used for CloudFront and global edge only when created inus-east-1(CloudFront requirement).
# Request certificate (DNS validation)aws acm request-certificate \ --domain-name api.example.com \ --validation-method DNS \ --subject-alternative-names www.example.comComplete DNS validation by creating the CNAME records ACM shows in the console or CLI. Then attach the certificate ARN to your resource.
Where Certificates Attach
Section titled “Where Certificates Attach”| Service | Notes |
|---|---|
| Application Load Balancer | Listener HTTPS uses an ACM cert in the same region as the ALB. |
| Network Load Balancer | TLS termination on NLB can use ACM certs (feature set varies by use case). |
| CloudFront | Cert must be in us-east-1. See CloudFront HTTPS and Certificates. |
| API Gateway | Custom domains use ACM; see API Gateway custom domain setup. |
| Elastic Beanstalk / API custom domains | Typically front with CloudFront or ALB + ACM. |
Internal-only services often use private CA (ACM PCA) or corporate PKI; clients must trust that CA.
Private CA (ACM PCA) — High Level
Section titled “Private CA (ACM PCA) — High Level”AWS Private Certificate Authority issues certificates for private PKI (mesh, mTLS inside a VPC, device auth). You pay for the CA and certificates issued.
It integrates with services that expect private trust stores. Operating a private CA implies CRL/OCSP, trust distribution, and rotation policy — treat it as a platform decision, not a one-click add-on.
Rotation and Monitoring
Section titled “Rotation and Monitoring”- ACM-managed public certs — Renewal is automatic if validation stays valid; fix DNS before expiry if records changed.
- Imported certs — You must re-import or replace; monitor DaysToExpiry via CloudWatch or exporters patterns.
- Application change — Updating a listener to a new cert ARN is usually hitless if you add the new cert before removing the old (depending on service).
Mutual TLS (mTLS)
Section titled “Mutual TLS (mTLS)”Some APIs and service meshes require client certificates. API Gateway and ALB support mTLS in supported configurations; implementation details change with AWS releases.
Conceptually: server presents its cert; client presents another cert signed by a trusted CA; both sides verify chains.
On Azure, similar ideas appear in API Management client certificates. For Kubernetes ingress mTLS, operators often use cert-manager plus Ingress Controllers.
Also Read (Other Platforms)
Section titled “Also Read (Other Platforms)”| Topic | Link |
|---|---|
| Azure Key Vault certificates and App Gateway TLS | Azure security |
| CDN HTTPS and ACM region | CloudFront |
| cert-manager, external issuers | Kubernetes operators |
| Ingress TLS and secrets | Kubernetes networking |
Summary
Section titled “Summary”- Use ACM for public TLS on AWS-managed endpoints; remember CloudFront + us-east-1.
- Security groups protect the network path; TLS protects bytes on the wire — both matter.
- PKI is lifecycle + trust + rotation; centralize monitoring for any imported or private CA material.