Can I use the new free SSL/TLS AWS certificates without ELB or Beanstalk on plain EC2?

amazon-web-services ssl-certificate amazon-ec2 amazon-elb elastic-beanstalk

AWS just announced free SSL/TLS certificates here: https://aws.amazon.com/blogs/aws/new-aws-certificate-manager-deploy-ssltls-based-apps-on-aws/

Mainly:

SSL/TLS certificates provisioned through AWS Certificate Manager are free!

and

You can provision, deploy, and renew certificates at no charge.

However, the blog post and articles do not seem to clarify whether the created certificates can be used on plain EC2 instances without ELB or Beanstalk.

It only says this:

Because ELB supports SSL offload, deploying a certificate to a load balancer (rather than to the EC2 instances behind it) will reduce the amount of encryption and decryption work that the instances need to handle.

and

We plan to add support for other AWS services and for other types of domain validation.

This linked article: https://medium.com/@arcdigital/enabling-ssl-via-aws-certificate-manager-on-elastic-beanstalk-b953571ef4f8#.2w5o4vq9p

says

There’s one caveat here: You must be using elastic beanstalk with an elastic load balancer (single instance environments without an ELB in front won’t work).

My question is: Can I access and use the SSL certificates generated by this service and will they be valid?


Solution 1:

Q: Can I use certificates on Amazon EC2 instances or on my own servers?

No. At this time, certificates provided by ACM can only be used with specific AWS services.

Q: With which AWS services can I use certificates provided by ACM?

You can use ACM with the following AWS services:

• Elastic Load Balancing

• Amazon CloudFront

• AWS Elastic Beanstalk

• Amazon API Gateway

• AWS CloudFormation

https://aws.amazon.com/certificate-manager/faqs/

The certificates created by Amazon Certificate Manager (ACM) have corresponding private keys that are stored securely within the AWS infrastructure and are not accessible to you... which means you can't deploy these certs directly on systems you have direct access to, like EC2 servers.

You can only use them on services front-ended by Elastic Load Balancer, CloudFront, or both. As CloudFront, unlike ELB, has no monthly baseline cost, it seems like this would be a usable alternative for you, since cost is usually the motivation for not using ELB.

Solution 2:

You can use free LetsEncrypt SSL certificates with single instance Elastic Beanstalk: http://bluefletch.com/blog/domain-agnostic-letsencrypt-ssl-config-for-elastic-beanstalk-single-instances/

Related

How to make cronjobs high available?
Setting up vsftpd, hangs on list command
Cisco IOS QoS prioritize SSH but not SCP
Why does the Task Manager does not show any activity from Hyper-V?
Chef bootstrap giving 401 unauthorized
How can I make nginx always return a HTTP 503?
Interpreting cryptic kernel "page allocation failure" messages
running automated fsck on remote server
Purchasing hard drives with non-sequential serial numbers
How do "correctly" sync millions of files with rsync and inotify?
How to solo Pyrocaustic Pete the Invincible?
Is there a way to move YouTube app from TV and Video on PS4?