By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Can I pin an application that runs on AWS to a certificate issued by ACM?

2 minute read
0

I want to know if I can pin an application that runs on AWS to a certificate issued by AWS Certificate Manager (ACM).

Resolution

It's a best practice to pin your application to a root certificate authority (CA), rather than to an individual certificate or intermediate CA. It's not a best practice to pin your AWS application to an SSL or TLS certificate issued by ACM. For more information, see Certificate pinning.

Note: For information on how intermediate CAs issue public certificates, see Amazon introduces dynamic intermediate certificate authorities.

When you pin an application to an Amazon Trust Services CA, you must also pin the same application to all CAs in the Amazon Trust Services table. Select all the CAs that you pin your application to. When you request a certificate, ACM doesn't specify the certificate's origin.

To pin a certificate, use one of the following options.

Pin your application to an Amazon root CA

When you pin your application to a root CA, ACM managed renewal renews the certificate under the same root CA that issued the certificate. The certificate's Amazon Resource Name (ARN) remains the same. You can pin your application to the root certificate. You can also pin your application to multiple CAs as backup pins.

If the certificate expires, then you can request a new certificate for the same domain or domains. Then, associate the new certificate to your existing resources to reduce application downtime.

Import your own certificate into ACM, and then pin your application to the imported certificate

Imported certificates aren't renewed by ACM-managed renewal. You must manage the renewal of the certificate and keys. For more information, see Importing certificates into AWS Certificate Manager.

Related information

Certificate pinning problems

AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago