AWS Certificates vs. Public CA Certificates
Today's modern enterprises must secure their data and applications that run and are hosted in the cloud using Amazon Web Services (AWS). Digital certificates based on public key infrastructure (PKI), such as SSL/TLS certificates and code signing certificates, are the gold standard for authentication and encryption of data and applications in the cloud. But organizations that use AWS have a choice of certificate authorities (CAs) that can issue certificates. This article helps you understand the differences between Public CA certificates and those provided by Amazon.
What Is a Certificate Authority?
A certificate authority (CA) is an organization that issues digital certificates that authenticate and encrypt data, devices, and applications using PKI. They are critical for allowing the use of public key cryptography widely. They act as trusted authorities, storing and publishing the public keys associated with the corresponding private keys. These trusted authorities make it possible for senders to ensure that they are using a public key that is correctly linked with the recipient's private key. Without them, it would be possible for someone to commandeer the transmitted information and use any sensitive information found.
CAs only issue certificates to specific domains that have sent a certificate signing request (CSR). A CSR is sent to a registration authority and contains the public key, identifying information, and a digital signature or other measure of authenticity. The identifying information is often organization, organizational unit, country name, state, locality, and common name. The common name is typically the domain name or IP address of the location.
When a domain displays a certificate issued by a trusted certificate authority recognized by a modern browser, such as Google Chrome, Mozilla Firefox, or Microsoft Edge, it is understood that the connection is safe.
Trusted public certificate authorities, like Sectigo, are compliant members of the certificate authority/ browser forum, which was created solely for issuing certificates. The CA/Browser Forum is a self-policing regulatory group for CAs, and they are responsible for creating and updating the rules behind certificate use, issuance, and expiration.
Public certificate authorities issue millions of certificates every year. These certificates are used for a variety of functions including protecting secure communications via SSL/TLS, digital signatures, code signing certificates, and S/MIME email certificates.
SSL/TLS certificates specifically allow modern web browsers to establish encrypted SSL/TLS protocol connections with web servers by properly identifying themselves. These certificates are used with a public key infrastructure (PKI). PKIs provide methods for individuals to establish each other's identity if they both trust the certificate authority used.
Public Versus Private Certificate Authorities
As previously mentioned, publicly trusted certificate authorities are independent entities that have been designated as trusted by major web browsers and follow certificate standards and guidelines identified by the CA/Browser Forum. Publicly trusted CAs perform several steps before issuing the certificate including validating the information provided in the CSR, chiefly the DNS information. Public certificate authorities have specific cryptographic keys that they use to sign the certificates they issue. These specific key files are often recognized as belonging to a trusted CA. This leads to the communications being immediately secured as they know they can trust it. Public certificates are most often used for securing endpoints that require communication with users and are commonly not used for internal / testing environments.
Private and public certificate authorities have many similarities. They have similar infrastructures and perform similar duties. However, while a public certificate authority issues certificates for entities on the Internet at large, private certificate authorities issue certificates just for private networks. Private certificate authorities issue and validate certificate files that are uploaded to an internal public key infrastructure (PKI) rather than a trusted third party. They are usually limited to the scope of the organization that the network belongs to, often large organizations or entities.
Public certificate authorities issue certificates that are immediately recognized and trusted by browsers and applications. This is not the case with digital certificates issued by private ones. Instead, they need an administrator to specifically configure any system the certificate comes in contact with to recognize and validate it.
Additionally, public CAs are required to follow stringent requirements, comply with vendor-imposed security standards, and reach certain levels of transparency. If they do not, they risk losing their trusted status and the ability for their certificates to be instantly validated. These restrictions are not imposed on private CAs. Rather the administrators can create their own rules around issuing certificates, including the information that is needed in a CSR and represented in a certificate.
Is AWS a CA?
Amazon Web Services (AWS) is a private, commercial CA. As it is not a member of the CA/Browser Forum, it is not currently considered a trusted public certificate authority. AWS customers can deploy AWS Certificate Manager (ACM) certificates into various AWS services, including AWS Elastic Load Balancing, Amazon CloudFront, Amazon API Gateway, Amazon EC2 instance, and other integrated services that are managed by the AWS Management Console. Using ACM, you are able to provision and manage both public and private certificates of certain types.
When deploying certs from private, commercial CAs like ACM, it is important to investigate the issuer deeply, as significant changes will need to be made to your environment to properly accept any private certificates. Additionally, an administrator must explicitly configure applications to trust new certificates issued. One crucial step is uploading the certificate files to the AWS Identity and Access Manager (IAM).
Does AWS Provide SSL Certificates?
AWS Certificate Manager (ACM) is able to provision, store, and renew both public and private SSL/TLS certificates complying with the X.509 standard. These can be accomplished with any Amazon service that ACM is integrated with. ACM automates renewing and updating of expiring ACM certificates. Some things to note about AWS server certificates:
- ACM does not provide extended validation certificates or organization validation certificates, only domain validation certificates
- ACM only provides certificates for the SSL/TLS protocols
- ACM cannot be used for email encryption
An ACM certificate is any digital certificate for an integrated AWS service that has been issued directly by AWS Certificate Manager (ACM). You are able to import third-party certificates into ACM. Additionally, you are able to create a public key infrastructure within AWS, allowing you to create internal private certificates. AWS customers are able to use ACM to request and deploy certificates on several different AWS resources including APIs using API Gateway, Amazon CloudFront distributions, and Elastic Load Balancers.
Do Public CA Certificates Work on AWS?
Certificates from a public CA, like Sectigo, can be deployed in AWS services, using ACM or using the CAs certificate management platform, like Sectigo Certificate Manager.
It is worth noting that ACM certificates issued by Amazon are domain validated only. On the other hand, SSL/TLS certificates issued by publicly trusted CAs are offered with three levels of validation.
- Domain Validation (DV): The CA verifies whether the applicant has rights to the specific domain name (typically through email verification). No additional information is vetted, and DV certificates can be issued within minutes.
- Organization Validation (OV): The CA not only verifies that the applicant has rights to the specific domain name but also conducts additional investigations of the applicant's organization on a basic level. This information is displayed on the certificate for enhanced trust from the site's end users.
- Extended Validation (EV): The CA will verify the business ownership and acceptable documents with regards to the company as well as ownership needs to be provided by the applicant. Apart from assuring that the applicant has the rights to the specific domain, a thorough investigation is done on the company and this information is displayed on the certificate. Further, a secure padlock is displayed in the web address of the browser, so the user gets extra assurance that the website is safe to visit.
Why Automate Certificate Management in AWS?
Manually deploying and managing certificates in AWS environments in addition to any other non-cloud environments is time-consuming, and can result in unnecessary risk. Whether an enterprise deploys a single SSL certificate for a web server hosted on AWS or manages millions of certificates across all its networked devices and user identities, the end-to-end process of certificate issuance, configuration, and deployment can take hours.
Manually managing certificates also puts enterprises at significant risk of neglected certificates expiring unexpectedly and of exposure to gaps in ownership — dropped balls that can result in sudden outages, critical business systems failures, and security breaches and attacks.
Customers and internal users rely on critical business systems hosted in the cloud to always be available. But in recent years, expired certificates have resulted in many high-profile website and services outages. The result has been billions of dollars in lost revenue, contract penalties, lawsuits, and the incalculable cost of tarnished brand reputations and lost customer goodwill.
How To Automate Certificate Management in AWS
With the above-noted pitfalls and financial ramifications inherent in managing PKI certificates manually, the return on investment for automated digital identity management is clear for CIOs and CSOs to see. Organizations need an automated solution that ensures certificates are correctly configured and implemented without human intervention in both AWS and their entire IT ecosystem. Automation helps reduce risk, but also aids IT departments in controlling operational costs and streamlining time-to-market for products and services.
Recently, PKI has evolved to become even more versatile. Interoperability, high uptime, and governance are still key benefits. But today’s PKI solutions are also functionally capable of improving administration and certificate lifecycle management through:
- Automation: Completing individual tasks while minimizing manual processes.
- Coordination: Using automation to manage a broad portfolio of tasks.
- Scalability: Managing certificates numbering in the hundreds, thousands, or even millions.
- Crypto-agility: Updating cryptographic strength and revoking and replacing at-risk certificates with quantum safe certificates rapidly in response to new or changing threats.
- Visibility: Viewing certificate status with a single pane of glass across all use cases.
While ACM provides some measure of automation, given the disparate systems, applications, and devices that use digital certificates, IT teams often find themselves managing different automation services from multiple vendors. This typically results in a reduction in efficiency. In contrast, a single certificate management dashboard that automates discovery, deployment, and lifecycle management across all use cases and vendor platforms delivers the efficiency that automation promises. And IT teams still maintain control of configuration definitions and rules so that automation steps are performed correctly.
Sectigo provides certificate management automation solutions that enable enterprises to be agile, efficient, and in full control of all the certificates in their environment. Sectigo supports automated installation, revocation, and renewal of SSL/TLS and non-SSL certificates via industry-leading protocols, APIs, and third-party integrations. And Sectigo eliminates the problem of certificate volume caps that can occur with open-source alternatives.
In sum, Sectigo’s automation solutions enable your security team to easily:
- Enforce cryptographic security policies
- Protect communications
- Prevent personal data loss via unauthorized access
- Future-proof systems, applications, and devices across the enterprise
To learn more about how you can automate issuance and management of digital certificates in AWS and across your entire IT ecosystem, check out Sectigo Certificate Manager.