What is AWS Certificate Manager ?
ACM is a security certificate management service that allows users to easily manage SSL and TLS certificates for their web applications and cloud services. It is designed to simplify the process of acquiring, renewing and managing certificates, supporting custom domain certificates, as well as wildcard and multi-domain certificates. ACM also allows for the automation of the domain ownership validation process, using automated validation methods such as sending an email or using DNS.
ACM can be integrated with an Amazon Private Certificate Authority to complement the need for internal application management. This is a feature that allows users to create, manage and use their own private certificate authorities.
Secondly, public certificates are issued by an AWS public Certificate Authority: Amazon Trust Services.
AWS Certificate Manager Features
ACM provides a set of basic and useful features that can be summarized as:
Centralized certificate management
AWS Certificate Manager simplifies the issuance of SSL/TLS certificates and centralizes their management through several interfaces:
- AWS Management Console: amazon’s graphical interface that exposes the ACM service.
- AWS CLI: a command line interface (CLI) to manipulate ACM.
- ACM API: a set of software development kits (SDK) supporting several technologies (Python, C++, Java, JavaScript, Go, PHP, Ruby, etc.) that provide the option to use ACM via API calls.
Secure key management
ACM ensures the protection of private keys generated for SSL/TLS certificates while applying best practices for encryption and cryptographic key management. Moreover, the AWS Key Management Service (KMS) is implemented in this process of protecting private keys.
Integration with AWS services
ACM supports integration with other AWS services, such as Elastic Load Balancing and Amazon CloudFront, to make it easier to implement certificates on distributed applications. ACM users can obtain their certificate through an access interface and automate its deployment on an application or service.
Import of external certificates
Certificates from sources other than AWS Certificate Manager, whether private or public, can be imported into the certificate inventory for the purpose of managing and deploying them to AWS services.
The following diagram illustrates the basic functionality of the AWS Certificate Manager:
Benefits of using SSL/TLS certificates
SSL/TLS certificates are essential to secure communications over the Internet. They encrypt data transmitted between a user and a website, protecting sensitive information from several types of cyber attacks. They ensure the confidentiality and integrity of transmitted data, which is essential for organizations that handle sensitive information such as payment information or personal data.
ACM supports this by enabling users to easily purchase, renew and manage SSL/TLS certificates for their web applications hosted on AWS.
Why combine ACM with BerryCert?
Using Amazon Certificate Manager (ACM) is essential to ensure that connections to your AWS resources are secure. However, ACM is only applicable for AWS resources.
If your organization uses other PKI or implements services outside of AWS that require the use of digital certificates, they will need to be managed separately. This is where the use of a CLM (Certificate Lifecycle Management) solution, such as BerryCert becomes essential.
BerryCert is a solution for the automated management of digital certificates. It offers many features to centralize the management of all certificates from several sources: network scans, scans of your file system, scans of your internal applications (Apache, Nginx, IIS, etc.).
BerryCert also offers integration with a set of PKI: Microsoft ADCS, OpenTrust, EJBCACE, EJBCA, DigiCert, Nexus Smart ID Certificate Manager, etc. BerryCert is also able to automate the issuance, renewal and deployment of certificates on a resource.
Combining ACM with a digital certificate management tool is the best solution to ensure the security of all your assets, whether they are on AWS or elsewhere.
