Using central wildcard certificate in an AWS Organization

Question

My customer is using a wildcard certificate installed on network load balancers in multiple AWS accounts.  Load balancers are deployed using a cloudformation stack.

Is there any way to:

a) centrally store the wildcard certificate and refer to it when running each stack (to avoid referring to an local arn within the member account for the certificate each time)

b) have the load balancers all referring to the central wildcard certificate, so replacing the expiring wildcard certificate is also centrally managed rather than replacing the certificate on every load balancer in every member account

Didier_Durand · Answer

Hi,

Have a look at this blogpost: it explains how to deploy public ACM certificates across multiple AWS accounts and Regions using AWS CloudFormation StackSets.

Link: https://aws.amazon.com/blogs/security/how-to-deploy-public-acm-certificates-across-multiple-aws-accounts-and-regions-using-aws-cloudformation-stacksets/

Best,

Didier

AmerO · Answer

At this time, certificates created in one account, can't be shared with another accounts. They can be used locally only where they are created or imported.
You can consider using Stackset to simplify deploying Public and Private CAs to multi-accounts in your organization. .
Check these two resources:
https://aws.amazon.com/blogs/security/how-to-deploy-public-acm-certificates-across-multiple-aws-accounts-and-regions-using-aws-cloudformation-stacksets/
https://aws.amazon.com/blogs/security/using-acm-private-certificate-authority-multi-account-environment-using-iam-roles/

Using central wildcard certificate in an AWS Organization

Relevant content