- Newest
- Most votes
- Most comments
There is no way to export the private key of a publicly trusted certificate from ACM. You can only use public certificates by associating them with AWS-managed resources supporting them, such as an Application Load Balancer (ALB) or CloudFront distribution that you could use as a reverse proxy for your Nginx server. Supported services are listed in documentation: https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
This guarantees that there's no way for anyone potentially hacking into your server or an operator with legitimate access there inadvertently to exfiltrate the private key of the publicly trusted certificate for your domain name.
Between an ALB and your EC2 instance, you can use self-signed certificates, because ALBs don't validate the certificates of the target resources, relying on the physical and logical layer security safeguards of VPCs instead of the private key of a certificate hosted on a virtual machine remaining secret. Alternatively, you can use cleartext HTTP between the ALB and the EC2 instance with similar reasoning.
The export option is available for an AWS private CA that issues certificates only trusted by you and anyone choosing to trust you as a certificate issuer. That's why some documentation links or blog posts might show the option you're not seeing: https://docs.aws.amazon.com/acm/latest/userguide/export-private.html
Relevant content
- asked a month ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 6 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago