Q: Can I use certificates on Amazon EC2 instances or on my own servers?
No. At this time, certificates provided by ACM can only be used with specific AWS services.
Q: With which AWS services can I use certificates provided by ACM?
You can use ACM with the following AWS services:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• Amazon API Gateway
• AWS CloudFormation
https://aws.amazon.com/certificate-manager/faqs/
The certificates created by Amazon Certificate Manager (ACM) have corresponding private keys that are stored securely within the AWS infrastructure and are not accessible to you... which means you can't deploy these certs directly on systems you have direct access to, like EC2 servers.
You can only use them on services front-ended by Elastic Load Balancer, CloudFront, or both. As CloudFront, unlike ELB, has no monthly baseline cost, it seems like this would be a usable alternative for you, since cost is usually the motivation for not using ELB.
In my case the files and permissions where not the issue. I was trying to restart the server with apachectl restart
or test the config (apachectl -t
or apachectl configtest
). The user running the command (me) simply didn't have the proper permissions to access the certificates. I just had to prefix the commands with sudo
to run them as root! No more errors, the config test returns "Syntax OK" and I can restart the server. (OK I'm a bit embarrassed it took me so long to figure that one out...)
Best Answer
Certificate lifespan
Security
Shorter lifespan is better. Simply because revocation is mostly theoretical, in practice it cannot be relied on (big weakness in the public PKI ecosystem).
Management
Without automation: Longer lifespan is more convenient. LE may not be feasible if you, for whatever reason, cannot automate the certificate management
With automation: Lifespan doesn't matter.
End-user impression
End-users are unlikely to have any idea one way or another.
Level of verification
Security
Letsencrypt provides DV level of verification only.
Buying a cert you get whatever you pay for (starting at DV, with the same level of assertion as with LE).
DV = only domain name control is verified.
OV = owner entity (organization) information is verified in addition.
EV = more thorough version of OV, which has traditionally been awarded with the "green bar" (but the "green bar" appears to be going away soon).
Management
When using LE, the work you put in is setting up the necessary automation (in this context, to prove domain control). How much work that is will depend on your environment.
When buying a cert the DV/OV/EV level will define how much manual work will be required to get the cert. For DV it typically boils down going through a wizard paying and copy/pasting something or clicking something, for OV and EV you can pretty much count on needing to be contacted separately to do additional steps to confirm your identity.
End-user impression
End-users probably recognize the current EV "green bar" (which is going away), other than that they don't tend to actually look at the certificate contents.
Theoretically, though, it is clearly more helpful with a certificate that states information about the controlling entity. But browsers (or other client applications) need to start actually showing this in a useful way before that has any effect for the typical user.
Installation
Security
It is possible to do things incorrectly in ways that expose private keys or similar. With LE, the provided tooling is set up around reasonable practices.
With a person who knows what they are doing, manual steps can obviously also be done securely.
Management
LE is very much intended to have all processes automated, their service is entirely API-based and the short lifespan also reflects how everything is centered around automation.
When buying a cert, even with a CA that provides APIs to regular customers (not really the norm at this point) it will be difficult to properly automate anything other than DV and with DV you are paying for essentially the same thing that LE provides.
If you are going for OV or EV levels, you can probably only partially automate the process.
End-user impression
If the installation is done correctly, the end-user will obviously not know how it was done. The chances of messing things up (eg, forgetting to renew or doing the installation incorrectly when renewing) are less with an automated process.
Overall
Traditional means of buying certs are particularly useful if you desire OV/EV certs, are not automating certificate management or want certs used in some other context than HTTPS.