Can I use the new free SSL/TLS AWS certificates without ELB or Beanstalk on plain EC2?
AWS just announced free SSL/TLS certificates here: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/
Mainly:
SSL/TLS certificates provisioned through AWS Certificate Manager are free!
and
You can provision, deploy, and renew certificates at no charge.
However, the blog post and articles do not seem to clarify whether the created certificates can be used on plain EC2 instances without ELB or Beanstalk.
It only says this:
Because ELB supports SSL offload, deploying a certificate to a load balancer (rather than to the EC2 instances behind it) will reduce the amount of encryption and decryption work that the instances need to handle.
and
We plan to add support for other AWS services and for other types of domain validation.
This linked article: https://medium.com/@arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.2w5o4vq9p
says
There’s one caveat here: You must be using elastic beanstalk with an elastic load balancer (single instance environments without an ELB in front won’t work).
My question is: Can I access and use the SSL certificates generated by this service and will they be valid?
Solution 1:
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
• AWS CloudFormation
https://aws.amazon.com/certificate-manager/faqs/
The certificates created by Amazon Certificate Manager (ACM) have corresponding private keys that are stored securely within the AWS infrastructure and are not accessible to you... which means you can't deploy these certs directly on systems you have direct access to, like EC2 servers.
You can only use them on services front-ended by Elastic Load Balancer, CloudFront, or both. As CloudFront, unlike ELB, has no monthly baseline cost, it seems like this would be a usable alternative for you, since cost is usually the motivation for not using ELB.
Solution 2:
You can use free LetsEncrypt SSL certificates with single instance Elastic Beanstalk: http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/