Root Causes 77: Certificates for Public Cloud
As a convenience to customers and a competitive differentiator, public cloud services such as AWS offer TLS certificates for use in their environments. Join our hosts as they explain this practice, how these certificates can be used, and which use cases and environments will not work with TLS certificates from public cloud vendors.
- Original Broadcast Date: March 23, 2020
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
So, today, we want to talk about Amazon and AWS SSL or shall I say TLS certificates?
-
Jason Soroko
Yeah, I guess another way of saying that is publicly trusted certificates from a public cloud, such as Amazon AWS.
-
Tim Callan
Yeah. So, um, a few facts about Amazon and not everybody knows this, but Amazon actually is a public CA. Amazon is a member of the CA Browser Forum. They are a full voting member. They follow the baseline requirements. They are - - they have trusted roots in all of the major root stores in the four major root programs and I would say became a public CA, you're going to test my memory here, maybe four years ago. Does that sound about right, Jason?
-
Jason Soroko
It was some point 2016? I believe.
-
Tim Callan
Okay. So, yeah, just about four years ago. And so, in that sense, they're an SSL provider, but they're an unusual SSL provider. And I think that's what we want to do today is explain how Amazon uses its public TLS certificates, what it does and what it doesn't do.
-
Jason Soroko
Right. If you were a public cloud provider, right, and we can name some of them, right, Microsoft Azure, Amazon AWS, Google Cloud, for example, one of those three. They're obviously in the business of monetizing their infrastructure and platform as a service systems. If you are in the need of provisioning out a load balancer to say, you know, an Amazon CloudFront based website, right? Something like that. You could do the same thing on Azure, you could do the same thing on Google. But let's talk about Amazon specifically here. You know. Your origin server, wherever that thing is actually being hosted is obviously going to need its own SSL certificate.
-
Tim Callan
Right.
-
Jason Soroko
Because of the fact that the load balancer itself is going to be communicated with the origin server to gather up the content. So, you're going to get that certificate from somewhere but the load balancer itself also needs to have its own SSL certificate provision.
-
Tim Callan
Right.
-
Jason Soroko
Because ultimately, that's the, you know, that's the edge of the network that the consumer of your website, or whatever it happens to be, your API, is going to be talking to. And so, it's going to need to have that SSL handshake, TLS handshake and move on. So, if you're Amazon, it makes a lot of sense that you would want to have easy provisioning of an SSL certificate to that load balancer.
-
Tim Callan
Right?
-
Jason Soroko
Notice that I didn't talk much about anything other than that. I didn't talk about, hey, you know, I'm a person who is hosting a web server somewhere in the world and I happen to need a publicly trusted certificate, I'm going to go get it from Amazon.
-
Tim Callan
Right.
-
Jason Soroko
That's really - - unless your resources are tied directly to Amazon's infrastructure, then they're really not in the business of provisioning out publicly trusted certificates to you and they're definitely not in the business of provisioning out OV and EV certificates, which is a whole other topic. These are just DV certificates for a very specific purpose.
-
Tim Callan
Yeah. And if you think about it, this actually makes great sense. Like, if you look at the, the incredible pitched war, that is the war for the public cloud market, among the three big providers in that space, there is a lot of money at stake and these guys are going great lengths to find ways to differentiate from their competitors. One of the challenges you have if you're offering public cloud services is the commoditization of the service, right? Whatever advantage you have, the other guy just comes all out with it, too. And you're right back to a level playing field again. And so, this is a tooling advantage, if you will. This is a functionality advantage for Amazon, in that they can allow the rapid, easy automated provisioning of certificates under these circumstances. And basically, it speeds your time to deployment; it reduces your administrative overhead; it does all of these other things that makes it better for you as a user of this particular service for your loads, right and, and that's really the motivator. That's what they're trying to accomplish.
-
Jason Soroko
That's correct, Tim, because if you're hosting a web, a website especially, you, you don't want, you know, Amazon doesn't want people to go off and hire competitor services, right? Yeah, a Cloudflare, for example, as a CDN. They want you to kind of stick with an Amazon load balancer and use that that service. And so, you know, Cloudflare itself does a very similar thing, which is they, you know, you can host your website. And then you can provide it via their content delivery network, their CDN. So, your origin server needs an SSL certificate. And also, once you're provisioned into Cloudflare service, they will provision you an SSL certificate as well through Cloudflare. So, in other words, you know, as a public CA, at Sectigo, sometimes we might be asked the question, hey, you know, is Amazon competing with you in SSL?
-
Tim Callan
Yeah.
-
Jason Soroko
Is Google competing with you in SSL? Is Azure competing? The answer really is no. They’re competing with Cloudflare. They're competing with the other big CDNs.
-
Tim Callan
And each other.
-
Jason Soroko
And it's that whole ecosystem of, of, hey, there's this middle layer of content delivery on the internet, which is why we're able to have websites come up so quickly, right? That's a great thing. Those things all need their own SSL certificate. And those guys, you know, in order to stay competitive, have their own publicly trusted CA in order to be able to provision those load balancing services.
-
Tim Callan
Yeah. And so, to harken back to what I said at the beginning, these do still have to be public certs, right? They have to have publicly trusted routes because of what they're ultimately doing. And so, these guys do have certain things they have to do, where they look like a classic CA, like they have to follow baseline requirements, like they have to follow root program requirements. And so, they do that, right, because they're smart, and, and they absolutely need their certificates to resolve correctly. But it's to a different end is the point.
-
Jason Soroko
Here's an interesting point, Tim, you who lives in the publicly trusted world and have so much experience, you could probably talk about this better than I can, but if you ask Amazon to provision out an SSL certificate to you, they don't actually give you the certificate. They keep it within their own key management system and then, you know, within their platform as a service, within their infrastructure as a service system, their system can internally consume that certificate for the needs that, you know, things like load balancers.
-
Tim Callan
Right. Because it's for use on a machine that they own.
-
Jason Soroko
Exactly correct. So, you're subscribed to their services, but let's say, I could technically right now, go to Amazon, AWS, and request a certificate for a domain that I might have just bought off of GoDaddy, or one of the other hosts.
-
Tim Callan
Or anyone. Yeah.
-
Jason Soroko
And they will actually issue that certificate internally to their systems. If you can do a domain validation. But you cannot download the certificate or, more specifically, you cannot possess the private key.
-
Tim Callan
So, I can’t order a certain get a file and put it on my server. All of that stuff is just not, it's not a capability they're interested in providing because it doesn't advance their ultimate agenda of making their cloud service as to breed.
-
Jason Soroko
Correct. If that's what you need, you go to a Sectigo. That's what you need to do. You need to go to one of the big, trusted third party CA's.
-
Tim Callan
So that's good. That's a good exercise and explanation of something that maybe not everybody would understand.
-
Jason Soroko
Yeah, Tim, you know, Google has a root. Amazon has a root. And it's for very specific purposes of helping them to monetize their platform server, their publicly their public cloud platform services to make life easy for their customers.
-
Tim Callan
Great. Perfect.
-
Jason Soroko
So that's the main - - that's the main reason and they are not in direct competition with the other bit public CAs.
-
Tim Callan
Yeah. They are not a “Classic CA” is really what it comes down to. So that's great. I think that's a good thing to explain. And any last thoughts on this, Jay?
-
Jason Soroko
No, Tim. That's about it. Thank you.
-
Tim Callan
All right. Thanks a lot. And thank you, people. This has been Root Causes.