Enabling AWS issued certificate on an AWS ec2 instance with ubuntu 22.04 AND NGINX

0

We have an AWS issued certificate in the AWS Certificate Manager.

Reading through a help article, I am told that I need to:

  1. Have AWS CLI installed and configured
  2. Create an S3 bucket
  3. Navigate to ACM in the AWS Management Console.
  4. Select the certificate I want to export.
  5. Click on Actions and select Export (private key).
  6. Follow the instructions to export the certificate to your S3 bucket.

Problem is that when I get to Step 5, there is no Actions option.

Any idea how to do this?

asked 3 months ago215 views
1 Answer
1
Accepted Answer

There is no way to export the private key of a publicly trusted certificate from ACM. You can only use public certificates by associating them with AWS-managed resources supporting them, such as an Application Load Balancer (ALB) or CloudFront distribution that you could use as a reverse proxy for your Nginx server. Supported services are listed in documentation: https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html

This guarantees that there's no way for anyone potentially hacking into your server or an operator with legitimate access there inadvertently to exfiltrate the private key of the publicly trusted certificate for your domain name.

Between an ALB and your EC2 instance, you can use self-signed certificates, because ALBs don't validate the certificates of the target resources, relying on the physical and logical layer security safeguards of VPCs instead of the private key of a certificate hosted on a virtual machine remaining secret. Alternatively, you can use cleartext HTTP between the ALB and the EC2 instance with similar reasoning.

The export option is available for an AWS private CA that issues certificates only trusted by you and anyone choosing to trust you as a certificate issuer. That's why some documentation links or blog posts might show the option you're not seeing: https://docs.aws.amazon.com/acm/latest/userguide/export-private.html

EXPERT
Leo K
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
profile pictureAWS
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions