AWS re:Invent 2025 - Automating Certificate Management with Exportable Public Certificates (SEC322)

Automating Certificate Management with Exportable Public Certificates

Overview

• AWS Certificate Manager (ACM) now supports the ability to export the private key of public certificates, enabling deployment on non-integrated services and devices.
• This feature addresses common challenges with manual certificate management, installation, and renewal across diverse environments.
• The presentation covers the architecture and implementation of a sample solution that automates the export, installation, and renewal of ACM-issued public certificates.

Key Features

• Exportable Public Certificates: ACM allows customers to export the private key of public certificates, enabling deployment on non-integrated services like firewalls, EC2 instances, and on-premises servers.
• Automated Renewal: The solution leverages AWS EventBridge to automatically detect certificate renewals and update the exported certificates on target systems.
• Secure Key Management: Exported private keys are encrypted with a dynamically generated passphrase, which is stored securely in AWS Secrets Manager.
• Cross-Account Deployment: The solution supports deploying certificates across multiple AWS accounts using IAM roles and policies.
• Centralized Inventory: A DynamoDB table tracks metadata about exported certificates, including where they are installed, to provide visibility and auditability.

Architecture and Workflow

1. On-Demand Certificate Export:

   • An API Gateway endpoint triggers a Step Function workflow to export a specific certificate from ACM.
   • The workflow exports the certificate, generates a passphrase, and stores it in Secrets Manager.
   • The certificate and passphrase are then used to install the certificate on target EC2 instances using AWS Systems Manager Automation.
   • The DynamoDB table records the certificate metadata, including the target EC2 instances.

2. Automated Certificate Renewal:

   • An EventBridge rule monitors for ACM certificate renewal events.
   • When a certificate is renewed, a Lambda function is triggered to identify any exported certificates and update them on the target systems.
   • The Lambda function retrieves the certificate details from the DynamoDB table, exports the renewed certificate, and updates the passphrase in Secrets Manager.
   • The Systems Manager Automation is then used to install the renewed certificate on the target EC2 instances.

Technical Details

• Certificate Validation: ACM supports both email and DNS-based domain validation, with DNS-based validation recommended for automated renewal.
• Pricing: Exportable public certificates are priced at $15 per FQDN, with a one-time charge when the certificate is first exported.
• Private Key Protection: Exported private keys are encrypted using a dynamically generated passphrase stored in AWS Secrets Manager, with access controlled by IAM policies and tags.
• Supported Platforms: The sample solution demonstrates installation on Amazon Linux EC2 instances, but can be extended to support other platforms like Windows IIS or external cloud providers.

Business Impact

• Reduced Manual Effort: Automating certificate management and renewal eliminates the need for manual processes, such as setting Outlook calendar reminders, and reduces the risk of expired certificates leading to service outages.
• Consolidated Certificate Management: Customers can consolidate their certificate management to a single provider (ACM) and leverage the automated renewal capabilities.
• Cost Optimization: The per-FQDN pricing model for exportable certificates can help reduce costs compared to traditional public certificate providers.
• Improved Security: Secure key management and access control mechanisms help mitigate the risk of private key compromise when certificates are deployed on non-integrated systems.

Examples and Use Cases

• Firewalls and On-Premises Servers: Customers can use the solution to deploy ACM-issued public certificates on firewalls and other on-premises servers that are not integrated with ACM.
• Multi-Cloud Environments: The solution supports deploying certificates to resources in other cloud providers, such as Azure or Google Cloud, by leveraging the exported private key.
• Containerized Workloads: The solution can be extended to install certificates on containerized environments, such as Amazon ECS or Kubernetes clusters, by modifying the Systems Manager Automation scripts.

Conclusion

The ability to export private keys from ACM-issued public certificates, combined with the automated renewal and secure key management capabilities, provides a comprehensive solution for managing certificates across diverse environments. This helps customers reduce manual effort, optimize costs, and improve the security of their certificate management practices.