To make this easier, AWS has introduced three new features that let you:
- Automate the steps to validate your domain with DNS validation and issue your public certificate.
- Use AWS CloudFormation templates to issue private certificates using AWS Certificate Manager (ACM).
- Disable certificate transparency logging if you don’t want your certificates automatically logged in a public certificate transparency log.
In this post, I explain how you can use the new features in AWS CloudFormation. I also provide sample scripts to help you build on the new features.
Automate issuing a public DNS validated certificate
Before the ACM Private Certificate Authority (CA) can issue a certificate for your site, ACM must verify that you own or control all of the domain names that you specified in your request. You can choose either email validation or DNS validation when you request a certificate.
Previously, when you requested DNS validation, you had to manually add the requested CNAME validation record to the hosted zone in Amazon Route53.
Note: ACM uses canonical name (CNAME) records to validate that you own or control a domain.
The new release enables AWS CloudFormation to validate your public certificate using DNS when the AWS CloudFormation stack is run from the same account the route 53 domain was created in. To enable this feature, you need to reference your HostedZoneId to create the required CNAME record for validation.
Below is a snippet of an AWS CloudFormation template for ACM that references the HostedZoneId.
When you deploy this resource in AWS CloudFormation, you’ll see the required CNAME record issued by ACM. AWS CloudFormation will use this information to update the hosted zone based on the HostedZoneId you provided. The following figure shows the CNAME listed in the Status reason of the Events list.
Now you can automate using ACM to issue public certificates and include that as part of your overall stack.
Automate private certificate creation
You can now use ACM CloudFormation templates to automate the issuance of your private certificate.
Please note that you need an ACM private certificate authority to be able to issue a private certificate. Create a Private Certificate Authority has the information you need to create one.
Disable certificate transparency
Certificate transparency is an open framework that monitors and audits SSL/TLS certificates. The standard creates a system of public logs that will eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.
Every certificate transparency log is a record of all publicly trusted digital certificates unless you specifically disable certificate transparency at creation. Those certificates contain information about the public key, the subject, and the issuer.
Certificate transparency logs keep append-only cryptographically-secured records of certificates, meaning that certificates can only be added to the log. It’s impossible to delete, modify, or in any way retroactively change or insert certificates into the log.
You can include disabling the certificate transparency logs as part of your AWS CloudFormation template. You need to add the CertificateTransparencyLoggingPreference parameter and set it to DISABLED.
Note: There are two allowed values: ENABLED and DISABLED.
Below is a snippet of an AWS CloudFormation template that includes the CertificateTransparencyLoggingPreference parameter.
By using the new features to automate the issuance of your public and private certificates and setting the certificate transparency to disabled, you can now include ACM Private Certificate Authority (CA) as part of your end-to-end automated infrastructure-as-code.
If you have feedback about this post, submit comments in the Comments section below. If you have questions about this post, start a new thread on the AWS Certificate Manager forum or contact AWS Support.
Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.