The Essential Guide to Public SSL Certificates in AWS: A Recipe for Secure and Trusted Web Applications Part 2

In this comprehensive blog series, we embark on a journey through the intricate landscape of domain management and SSL certificate integration within the AWS ecosystem.

In Part 1, we start from scratch, walking you through setting up your domain in AWS using Route 53. We've got step-by-step instructions and handy screenshots to make sure you're on track.

Once your domain is up and running, Part 2 shows you how to get your SSL certificates sorted. We'll cover creating and validating certificates for CloudFront and ALBs in two different AWS regions.

In the final stretch, Part 3, we'll take your setup to the next level with Infrastructure as Code (IaC). Learn how to deploy your web server with those shiny new certificates using code. Plus, we'll show you the ropes for managing certificates in the AWS console. Then we'll focus on the cleanup of the infrastructure set up in Parts 1 to 3. This essential step ensures that unused resources are removed, helping you maintain a lean and cost-effective AWS environment. Through this structured sequence, from domain registration to certificate integration, readers will gain a comprehensive understanding of the intricate processes involved in managing domains and securing them with SSL certificates within the AWS environment.

PART 2 Certificates

‍

Welcome back to our exploration of Amazon Web Services (AWS) and its indispensable tool, Route 53. In Part 1 we successfully registered our most precious domain in R53. In this segment, we will delve into the critical realm of security, focusing on SSL/TLS certificates and their seamless integration with R53.

‍

As ever evolving digital threats loom, protecting your online presence is essential. By leveraging AWS Route 53 for domain management coupled with SSL/TLS certificate management, you secure your digital assets with strong security measures. The use of a certificate protects sensitive information like passwords and credit card details, preventing malicious actors from eavesdropping or tampering with data. But it doesn't stop there. They also verify the true identity of websites, ensuring you're not interacting with imposters trying to steal your information.

‍

Moreover, search engines like Google reward websites with valid certificates with higher rankings, boosting your online visibility and attracting even more organic traffic.

‍

Here is why incorporating SSL/TLS certificates with your infrastructure using R53 can be beneficial:

‍

Data encryption: Certificates encrypt data transmission between users browsers and your web servers
Trust establishment: Displaying a valid SSL/TLS certificate instils trust and confidence in your users, showing them that interacting with your service is secure.
Compliance requirements: Many regulatory frameworks require the use of SSL/TLS encryption for data protection.
Seamless integration: R53 seamlessly integrates with AWS Certificate manager (ACM) allowing you to generate and deploy SSL/TLS certificates with relative ease. Certificates can even be automated using infrastructure as code (IaC).

‍

In this section we will deploy 2 certificates for our registered domain in Part 1. The first certificate will be deployed in the solution host region. In this example Ireland (eu-west-1). This certificate can be used by multiple different resources. (API gateway, Elastic LoadBalancers and CloudFront (CDN)) The second being in the US East (N.Virginia) region as it will be used on a global resource and in Part 3 be used on the CDN.

‍

Deploying certificate in host region

‍

Start by downloading the necessary script at HostedZoneAndCert.yml
In the Host region: Ireland (eu-west-1)

In the AWS management console, Navigate to the CloudFormation service.
In the right corner of the CloudFormation console select the create stack drop down and select the with new resources option.
In the stack create stack menu select the Choose existing template
1. Select the Upload template file option
2. The Choose file option will then show
3. Select the <FILENAME.YML> file
Click on the next button after template is successfully uploaded
On the next screen provide a stack name
1. Eg.. host-region-certificate-stack
In the next section of the screen we need to provide the ID of the HostedZone created in the domain registration process.
1. NOTE: This can be retrieved in the R53 console and noting the hosted zone ID of the registered domain (eg.. Z0123456780SW)
2. The Domain name of the registered domain (Eg.. example.com)
After the parameters have been provided click the Next button.
Review the stack creation configuration section and at the bottom click the Create Stack button
The certificate should be created: 5-20 minutes

‍

Deploying CloudFront (CDN) certificate:

‍

NOTE: CloudFront (CDN) certificates need to be created in the North Virginia region (us-east-1) as CloudFront is a global service.

‍

On the CloudFormation Console switch to the North Virginia region (us-east-1).
Follow exactly the same steps as done for the host region above and create the same CloudFormation stack in this region.
1. NOTE: The certificate ARN of the CDN certificate.

‍

Conclusion

‍

Certificates are easy to set up as we have seen in these two parts and even with free options for basic use, there's no excuse to leave your website and your visitors vulnerable. Even better, in the next part we will be deploying infrastructure to host a simple website in AWS. As you follow along, see how certificates play a role in not just a website but also all facets of your infrastructure.

Mathys Briers is a certified AWS DevOps Professional engineer with extensive experience implementing DevOps solutions for enterprise organizations in South Africa's retail and finance sectors. He is passionate about automated pipelines, efficient and secure release controls, and maintaining robust AWS cloud infrastructure. In his free time, he enjoys tinkering with home projects, particularly focusing on automating home tasks.

Petrus Smit is a Senior DevOps Engineer with experience in AWS implementations since 2019. He has delivered high-profile projects for various enterprise organizations in South Africa and serves as one of the Technical Leads at Autumn Leaf.