Can AWS Certificate Manager (ACM) Certificates be used on Elastic Load Balancer Instances in Regions other than us-east-1?
Amazon has recently announced their new AWS Certificate Manager (ACM) service. This looks promising, but it is currently only supported in the us-east-1 region.
I have existing resources in the us-west-2 region. Is it possible for me to create a certificate using ACM, and then use it on an ELB instance in us-west-2? Or do I have to wait for Amazon to roll the service out to other regions? The documentation is frustratingly vague on this point.
(Possibly) Related questions:
- Can I use the new free SSL/TLS AWS certificates without ELB or Beanstalk on plain EC2?
- Passing multiple https domains through Elastic Load Balancer
Solution 1:
Not as of now, no.
The answer to the question is slightly hidden, under an entirely different question in the ACM FAQ:
Q: Can I use the same certificate in more than one AWS Region?
It depends on whether you’re using Elastic Load Balancing or Amazon CloudFront. If you want to use a certificate with Elastic Load Balancing for the same site (the same fully qualified domain name, or FQDN, or set of FQDNs) in a different Region (when ACM is available in additional Regions), you will be required to request a new certificate for each Region in which you plan to use it. Certificates issued in the US East (Northern Virginia) Region and associated with an Amazon CloudFront distribution are distributed to the geographic locations configured for your distribution. (emphasis added)
https://aws.amazon.com/certificate-manager/faqs/
From that, we can safely conclude that the service can't be used for ELBs outside us-east-1, until such time as the service is deployed in the respective regions.
The AWS Global Infrastructure pages show the service only being available (as of this writing) in us-east-1.
The apparent discrepancy between in-region-only availability for ELB, compared with global availability with CloudFront, is explained by the fact that us-east-1 is the region that houses the infrastructure that actually controls the provisioning of all CloudFront edge locations.
Solution 2:
This now works, I requested a certificate from Certificate Manager and assigned to my US West (Oregon) Elastic Load Balancer. I added an EC2 instance to the ELB and had the ELB point to port 80 on the EC2 instance, not port 443 (this is some what faster I suppose). The ELB will then encrypt the connection between the user and the EC2 instance.