Creating an AWS SSL Certs from Scratch (CLI and PowerShell)

Published:25 October 2024 - 4 min. read

Securing your web applications with SSL/TLS certificates is not just a best practice—it’s a necessity. SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols that encrypt data transmitted between a user’s browser and your website. This encryption ensures that sensitive information like passwords, credit card numbers, and personal data remain private and secure.

AWS Certificate Manager (ACM) offers a streamlined way to provision, manage, and deploy SSL/TLS certificates for your AWS-based websites and applications. In this guide, we’ll walk you through the process of creating an SSL certificate using AWS Certificate Manager via the AWS Command Line Interface (CLI), from setting up the necessary permissions to requesting the certificate itself.

Setting Up Permissions

Before we can create a certificate, we need to set up the proper permissions. We’ll do this by creating a new IAM (Identity and Access Management) user with specific permissions for managing certificates.

1. First, authenticate as an admin user:

   aws configure

Enter the provided access key and secret key when prompted.

After running this command, you’ll be asked to input your AWS access key ID, secret access key, default region name, and default output format. This step is crucial because it sets up your AWS CLI with the credentials to perform actions on your AWS account.

The access key ID and secret access key are like a username and password for programmatic access to your AWS account. They should be kept secret and never shared. The region name determines which AWS data center your commands will interact with, and the output format determines how the AWS CLI will display results to you.

2. Create a policy file defining the necessary permissions:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "acm:DescribeCertificate",
           "acm:ListCertificates",
           "acm:GetCertificate",
           "acm:RequestCertificate"
         ],
         "Resource": "*"
       }
     ]
   }

Save this as cert-policy.json.

This JSON file defines an IAM policy. In AWS, policies define permissions – they specify what actions are allowed or denied on what AWS resources are available. Let’s break down this policy:

  • The Version field is a required element that specifies the version of the policy language.
  • The Statement array contains one or more individual statements. Each statement describes a set of permissions.
  • Effect: Allow means that the actions listed are permitted.
  • Action lists the specific API calls that are allowed. We allow four ACM-related actions (AWS Certificate Manager) in this case.
  • Resource: * means this policy applies to all resources. You might want to restrict this to specific certificate ARNs in a production environment for better security.

This policy will allow our new user to describe, list, get, and request certificates, all the actions we need for this tutorial.

Create a new IAM user

aws iam create-user --user-name CertificateManager

This command creates a new IAM user in your AWS account with the name CertificateManager. IAM users are entities you create in AWS to represent the person or application that uses it to interact with AWS. By creating a specific user for certificate management, we’re following the principle of least privilege – giving this user only the permissions it needs to manage certificates rather than full admin access to your AWS account.

Generate access keys for the new user

aws iam create-access-key --user-name CertificateManager --query 'AccessKey.[AccessKeyId,SecretAccessKey]' --output text > certificate_manager_credentials.txt

This command creates a new access key for the CertificateManager user and saves the key ID and secret to a file named certificate_manager_credentials.txt. Access keys are long-term credentials for an IAM user. They consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).

The access key ID and secret access key are used to make programmatic requests to AWS. These credentials should be kept secure and not shared. In a production environment, you typically use more secure methods to manage them, such as AWS Secrets Manager.

Create and attach the policy

$policy = Get-Content -Raw ~/Downloads/cert-policy.json

$policy_arn = aws iam create-policy --policy-name CertificateManagerPolicy --policy-document $policy --query 'Policy.Arn' --output text

aws iam attach-user-policy --user-name CertificateManager --policy-arn $policy_arn

These commands do three things:

1. Read the contents of the policy file we created earlier.

2. Create a new IAM policy in AWS using the contents of that file. The --query and --output options are used to extract just the ARN (Amazon Resource Name) of the newly created policy.

3. Attach the policy to our CertificateManager user.

By attaching this policy to the user, we’re giving the CertificateManager user permission to perform the actions we defined in the policy (describing, listing, getting, and requesting certificates).

Creating the Certificate

Now that we have the necessary permissions set up, we can create our SSL certificate:

1. Request the certificate:

$certificateArn = $(aws acm request-certificate --domain-name atademos.com --validation-method DNS --region 'us-east-1')

This command requests a new SSL/TLS certificate from AWS Certificate Manager. Let’s break down the options:

  • --domain-name atademos.com: This specifies the domain name for which you’re requesting the certificate. Replace ‘atademos.com’ with your domain name.
  • --validation-method DNS: This tells ACM to use DNS validation to prove you own the domain. ACM will provide a CNAME record to add to your domain’s DNS configuration.
  • --region 'us-east-1': This specifies the AWS region where the certificate will be created. ‘us-east-1’ is the US East (N. Virginia) region.

The command returns the ARN of the newly created certificate, which we’re storing in the $certificateArn variable for later use.

2. Describe the certificate to verify its creation:

aws acm describe-certificate --region 'us-east-1' --certificate-arn ($certificateArn | ConvertFrom-Json).CertificateArn

This command retrieves and displays the details of the certificate we just created. It uses the ARN we stored in the previous step. The ConvertFrom-Json cmdlet is used because the previous command returns a JSON string, which we need to convert to a PowerShell object to access the CertificateArn property.

The output of this command will include details about the certificate, including its status, domain name, and validation method. The certificate will likely be in a ‘PENDING_VALIDATION’ status, as you still need to complete the domain validation process.

Conclusion

Following these steps, you’ve successfully created an SSL certificate using AWS Certificate Manager via the AWS CLI. This process demonstrates the power and flexibility of AWS’s command-line tools for managing cloud resources.

Remember, you’ll need to validate domain ownership after creating the certificate. You’ll need to add a CNAME record to your domain’s DNS configuration for DNS validation. Once validated, you can use the certificate with AWS services like Elastic Load Balancing or Amazon CloudFront to secure your web applications.

Always keep your credentials secure and follow AWS best practices for IAM user management. This includes regularly rotating access keys, using the principle of least privilege when assigning permissions, and monitoring the use of these credentials through AWS CloudTrail.

As you become more comfortable with AWS and the CLI, you might want to explore automating this process further, perhaps using AWS CloudFormation or Terraform to manage your infrastructure as code. This can make creating and managing certificates even more efficient and repeatable.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!