Latest News & Blogs - cubesys

AWS – CloudFormation now allows DNS-validated certificate management with Amazon Certificate Manager - cubesys

Written by cubesys | Jul 5, 2020 2:00:00 PM

As you know, Amazon Certificate Manager (ACM) is used to help managing certificates, from the creation to the renewal process.

Well, ACM can now be used by CloudFormation to automate SSL/TLS certificate management for DNS-validated certificates with domain managed by Amazon Route 53.

With this improvement you no longer need to manually validate your request.

To start using this new capability, you create a new CloudFormation template using the below sample

{
   “Type” : “AWS::CertificateManager::Certificate”,
   “Properties” : {
       “CertificateAuthorityArn” : String,
       “CertificateTransparencyLoggingPreference” : String,
       “DomainName” : String,
       “DomainValidationOptions” : [ DomainValidationOption, … ],
       “SubjectAlternativeNames” : [ String, … ],
       “Tags” : [ Tag, … ],
       “ValidationMethod” : String
     }
}

Where

  • CertificateAuthorityArn is the Amazon Resource Name (ARN) of the private certificate authority (CA) using the following form: arn:aws:acm-pca:region:account:certificate-authority/12345678-1234-1234-1234-123456789012
  • CertificateTransparencyLoggingPreference defines if you opt-in/opt-out for automatically log your certificate in a public CT log. Accepted values are enabled or disabled
  • DomainName (required) defines the full qualified domain name (like www.amazon.com) for which you want to generate/renew a certificate
  • DomainValidationOptions defines the validation option used to verify your identity. You can get the list of available validation options here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-certificatemanager-certificate-domainvalidationoption.html
  • SubjectAlternativeNames if you want to define alternative names for your certificate; same as for the domain name, you need to use the FQDN
  • Tags helps you define tags to identify your certificate
  • ValidationMethod defines the validation method (DNS or email) to use for verifying your ownership. In the context of this post, you should then use the DNS option

Below is a sample of JSON file to create the new template

“mycertificate” : {
   “Type” : “AWS::CertificateManager::Certificate”,
   “Properties” : {
     “DomainName” : “mydomain.com”,
     “DomainValidationOptions” : [{
       “DomainName” : “mydomain.com”,
        “ValidationDomain” : “mydomain.com”
      }],
     “ValidationMethod” : “dns”
    }
  }
View full post