Can I pin an application that's running on AWS to a certificate that was issued by ACM?

3 minute read
0

I want to know if I can pin an application that's running on AWS to a certificate that was issued by AWS Certificate Manager (ACM).

Short description

It's not a best practice to pin your application to an SSL/TLS certificate issued by ACM. If you pin a certificate, then you provide a browser with an ID for the public key that's used for the website. If a user visits the website, the pin is cached by the browser. That pin is also then used to verify the public key during future visits. The pin information is usually included in the header in the HTTP response and the time to live (TTL) for the pin. If the certificate changes, for example, when the certificate is renewed, then that change can cause website visitors to receive errors. These errors occur because a secure connection to the website can't be established. For more information, see Certificate pinning.

Important: Starting October 11, 2022 at 9:00 AM Pacific Time, public certificates obtained through ACM are issued from one of the intermediate CAs that Amazon manages. Multiple intermediate CAs chain to an existing Amazon Trust Services root CA. With this change, leaf certificates issued to you are signed by different intermediate CAs. Before this change, Amazon maintained a limited number of intermediate CAs and issued and renewed certificates from the same intermediate CAs. For more information, see Amazon introduces dynamic intermediate certificate authorities.

Resolution

It's a best practice to pin your application to a root certificate authority (CA) rather than to an individual certificate or an intermediate CA certificate. When you pin an application to an Amazon Trust Services CA, pin the same application to all the CAs in the Amazon trust services table.

Note: You must select all the CAs that you pin your application to because, when you request a certificate, ACM doesn't specify the certificate's origin.

To pin a certificate, use one of the following options to be sure that the application can connect to the domain.

Pin your application to an Amazon root certificate

When you pin your application at the root certificate level, ACM-managed renewal renews the certificate under the same CA that issued the certificate. The certificate Amazon Resource Name (ARN) remains the same. You can also pin your application to multiple CAs as backup pins. If the certificate expires, then you can request a new certificate and apply the certificate to your load balancer to reduce application downtime.

Import your own certificate into ACM, and then pin your application to the imported certificate

Imported certificates aren't renewed by the ACM-managed renewal process. You must manage the renewal of the certificate and keys. For more information, see Importing certificates into AWS Certificate Manager.

Related information

ACM best practices

Certificate pinning problems

AWS OFFICIAL
AWS OFFICIALUpdated a year ago