PART 3

‍

Certificate Handling in Code and Console

‍

In Part 3 of our blog series, we bridge the gap between theory and practice by delving into the hands-on implementation of SSL/TLS certificates within your AWS infrastructure. Leveraging both Infrastructure as Code (IaC) and the AWS Management Console, we'll guide you through the seamless integration of these certificates with essential services such as Application Load Balancers (ALBs) and Content Delivery Networks (CDNs) like CloudFront. Building upon the foundation laid in Parts 1 and 2, where we covered domain registration and certificate acquisition.

‍

Note: Part 1 and Part 2 are mandatory for the next steps as we will be deploying infrastructure using the certificates set up in those parts.

‍

Let's have a look at some test infrastructure and have you deploy it.

‍

Solution overview

‍

Below you will see a diagram of the infrastructure and in what locations each service resides. Starting from the left, a user's encrypted request (port 443) navigates through Route 53, the AWS DNS service, which directs them to the nearest CloudFront(CDN) edge location(Global service). CloudFront serves cached content directly, but forwards uncached requests to the Application Load Balancer (ALB) within the region in its public subnets. The ALB acts as a secure gateway, utilising a public certificate to establish a trusted connection with the user and decrypt the incoming request. It then processes the decrypted information based on configured rules and forwards it to a healthy EC2 instance. The EC2 instance processes the request and sends its response back, which the ALB re-encrypts before returning it to the user, maintaining security throughout the journey.

‍

‍

A YAML file defining the Infrastructure as Code (IaC) is provided:

‍

This file is an AWS Cloudformation (AWS IaC Service) template.

WebInfrastructure.yml: defines all the resources required for this certificate test. It sets up a basic web infrastructure including domain record, CloudFront distribution, ALB and an EC2 instance with an EBS volume. This infrastructure will then be protected by the certificates we create for the distribution and ALB. On inspection of this file, take notice of the following parameters:

• “CDNCertificateARN”: (CloudFront certificate in the N.Virginia region) used for the CloudFront resource called “CloudFrontDistribution” notice how this parameter is added to this resource and field called “AcmCertificateArn” this is what allows us to connect a certificate to a CloudFront distribution via CloudFormation(code)
• “ALBCertificateARN”: connects an SSL/TLS certificate to an Application Load Balancer (ALB) in CloudFormation. This variable is used within the HttpsListener resource, specifically in the CertificateArn field. Remember, the certificate must be deployed in the same region as the ALB itself.

‍

Prerequisite

‍

To deploy CloudFormation scripts you will require an account with a setup VPC with public and private subnets. Your two created certificates as mentioned in the previous steps for your CloudFront and Application Load Balancer. You will also need the following access to deploy the script:
Read Access:

• VPC: Necessary to describe the existing VPC (if applicable) used by the template.
• EC2: Needed to describe existing security groups and instances before modification or deletion.
• ELBv2: Permission to describe existing load balancers, listeners, and target groups.
• CloudFront: Required to describe existing CloudFront distributions.
• R53: Allows describing the hosted zone (if it already exists) and existing record sets before modification or deletion.

Write Access:

• EC2: Required to create and manage security groups, launch and manage EC2 instances, and attach/detach volumes.
• EBS: Needed to create and manage volumes used by the EC2 instances.
• ELBv2: Permissions to create and manage load balancers, listeners, and target groups.
• CloudFront: Allows creating and managing CloudFront distributions.
• R53: Permission to create a hosted zone (if it doesn't exist) and create/update record sets.
• CloudFormation: Grants permission to describe and delete the CloudFormation stack and its associated resources.
• IAM: creation and deleting of IAM roles

Note: Deploying this infrastructure will incur some costs, do remember to clean up afterwards.(~$0.93 a day) for further cost calculations/estimates navigate to AWS Price Calculator and to check your costs on your account navigate to Billing and Cost Manager.

‍

Deploy the solution

Start by downloading the required file WebInfrastructure.yml.
Now lets deploy the infrastructure:

‍

1. Log in to the AWS console, navigate to AWS CloudFormation console.

2. Click "Create stack", choose “With new resources” then “Template is ready” and "Upload a template file", select the provided template (WebInfrastructure.yml) and provide a Stack Name(e.g. web-infra-stack).

3. Fill Parameters: Review required parameters, enter values, and set optional parameters if desired.

‍

Fill these in carefully, if incorrect could cause the deployment to fail.

• ALBCertificateARN - Found in Certificate Manager in your selected region
• ALBPubSubnetIDs - Found in VPC > subnets if drop down is not sufficient 
• CDNCertificateARN - Found in Certificate Manager in N.Virginia region
• DomainName - URL of your site (e.g. welcome.yourname.com,yourname.com)
• R53HostedZone - Your created hosted zone name(e.g.yourname.com)
• VPCID - Select from dropdown
• WebAMI - Amazon linux AMI(Preferably latest) - can be found in EC2 console(Left tab) >> Images >> AMI Catalog
• WebPrivateSubnetID - PRIVATE subnet for your Web instance (specifies your EC2 AvailabilityZone), Found in VPC > subnets if drop down is not sufficient
• YourName - your name or email to use in the Owner tag on your resources

‍

4. Click Next.

5. Optional(highly recommended): On this page it is suggested to add a tag that will tag all the resources. Suggestions are Owner with your name as the value or System with the system name as value.

• Great for tracking your resources and cost tracking with tags.

6. Review & Deploy: Review all settings, click "Create stack" to deploy, and monitor progress in the "Stacks" section.

7. Once completed and all parameters entered correctly you should be able to hit your domain and see a page with the message “It works!”

‍

‍

8. Notice how the url directs to https and has a padlock. Further investigation can be done by clicking on it and clicking on the certificate and seeing more information.

‍

9. You have a basic secure https:// website!

‍

‍

Tips

Certificates do expire and will need to be renewed. Know when yours expires. It is important to have a valid certificate. Automated solutions can be made to warn you ahead of time. Certificate expiration warning solution using config.

‍

Edit the Certificates in console

Prerequisite 

‍

To follow along and update certificates on the console, you will need a CloudFront distribution and Application Load Balancer, if previous steps were followed you will have deployed these resources via the Cloudformation(You can follow along if you have created your own resources as well).

‍

Updating your certificate on CloudFront:

1. Navigate to your Distribution: In the CloudFront console, find the distribution you want to update the certificate for.

2. Edit Distribution Settings: Select the "Distribution Settings" tab and click "Edit" for the general settings.

3. Choose a Certificate: Under "SSL Certificate," choose "Custom SSL Certificate" and select the new certificate you want to use.

4. Specify Alternate Domain Names (Optional): If using custom domain names, add them under "Alternate Domain Names (CNAMEs)."

5. Review and Save: Double-check your changes, then click "Yes, Edit" to confirm and save the updated configuration.

6. Wait for Propagation: CloudFront will propagate the changes to its edge locations. This can take 5-15 minutes.

7. Test and Monitor: Once propagation is complete, test your website and monitor for any issues with the new certificate.

‍

Update or add certificates to your Loadbalancer:

‍

1. Open the Amazon EC2 console and navigate down to Load Balancing > Load Balancers in the left hand banner or can be found on the Resources banner and clicking on load balancers. Select your specific ALB name web-cert-alb (if created with provided infrastructure).

2. Go to the "Listeners and rules" tab and click on the HTTPS listener you want to update (HTTPS:443).

3. Under "Certificates", click "Add certificate" to upload a new certificate or select an existing one to "Edit".

4. Upload the new certificate file and private key (if adding), and configure Server Name Indication (SNI) if needed.

5. Review the changes and click "Save changes".

6. Wait for a short propagation period (usually under 5 minutes).

7. Test your website or application to ensure the update was successful.

‍

Tips:

A public certificate issued by ACM is eligible for automatic renewal if it meets the following criteria:

• Associated with an AWS Service: The certificate must be currently associated with an active AWS service like Elastic Load Balancing or CloudFront.
• Exported or Service-Associated: The certificate must have been either:
  
  • Exported after being issued or renewed by ACM.
  • Associated with an AWS service after being issued by ACM.
• Private Certificate: The certificate must be a private certificate, meaning it was issued through the acm_request_certificate API call or the management console/CLI.

The following certificates are not eligible for automatic renewal:

• Imported Certificates: Certificates imported into ACM are not eligible.
• Private CA Certificates: Certificates issued through the AWS Private CA IssueCertificate API are not eligible.
• Expired Certificates: Certificates that have already expired are not eligible for renewal.

‍

Clean up

‍

1. Delete your Cloudformation stack, this will automatically delete all the resources that the stack created. You can also check on your resources by using Tag Editor  the resource with the “Owner” tag and value {your name}(value set in the parameters of your Cloudformation stack) to identify your resources even in specific regions.
2. You need to ensure you have deleted any public certificates associated with AWS Certificate Manager (ACM) and have located both the CloudFront certificate stored in the N.Virginia region and the Application LoadBalancer (ALB) certificate in the region where you deployed your CloudFormation stack.

‍

NB: If left unchecked the following costs will be incurred:
Application Load Balancer fixed hourly charges (Monthly): ~$18.40
Amazon EC2 On-Demand instances cost (Monthly): ~$8.32

Amazon Elastic Block Store (EBS) total cost (Monthly): ~$0.70

CloudFront price Europe (Monthly): ~$0.21

Total Cost a Month: ~$27.63

‍