Easily Register SSL certificates on AWS with Route 53 and AWS Certificate Manager

brianmmdev

Brian Morrison II

Posted on July 28, 2024

Easily Register SSL certificates on AWS with Route 53 and AWS Certificate Manager

AWS Certificate Manager (ACM) is a service on AWS that lets developers request SSL certificates for domains, often free of charge. The process is even easier for domains hosted in Route 53 since they allow you to easily add the validation records directly into the domain.

Prerequisites

  • A domain registered on Route 53.

Process

Navigate your AWS Console to ACM and click "Request a certificate".

The ACM landing page.

Under Certificate type, select "Request public certificate", then "Next".

The form to request a public or private certificate.

In the following form, set the following:

  • Under "Fully qualified domain name", enter the domain you want to register a certificate for.
  • Validation method: "DNS Validation"
  • Key algorithm: "RSA 2048"
  • Select "Request" at the bottom of the form.

The Request Certificate form.

The following certificate details screen will show the details of the certificate being requested. Once the Domains section loads, select "Create records in Route 53".

The certificate details view with a red arrow pointing to

Find your domain from Route 53 and click "Create records". Mine is grayed out since I already validated my domain in AWS.

The view to create validation records for the Route 53 domain.

Once the records are created, wait a few minutes and refresh the certificate details screen. You should now have a certificate to use.

This method can be used for specific subdomains or even a wildcard domain name.

How I use this

I recently updated one of my talks to feature branch-based deployments, similar to how Netlify or Vercel works. As part of the update, I registered a domain with Route 53 and a wildcard certificate to ensure that the branch deployments have SSL.

The demo application is deployed via AWS SAM and the ARN for the wildcard certificate is passed into the build process as a parameter. This lets me dynamically register subdomains with Route 53 and use the wildcard certificate that was created manually.

The Name value concatenates the value of EnvironmentParam onto the main domain. So if the parameter is "mycoolsubdomain" it will create a record named "mycoolsubdomain.guardianforge-r53.net".

Resources:
  Subdomain:
    Type: AWS::Route53::RecordSet
    Properties:
        # 👉 The ID of the domain in Route 53
      HostedZoneId: Z04847192KADNUAMJT9ZV
      # 👉 The CNAME to register in Route 53
      Name: !Join [ "", [!Ref EnvironmentParam, ".guardianforge-r53.net"]]
      # 👉 Record type
      Type: CNAME
      # 👉 TTL value
      TTL: 900
      ResourceRecords:
          # 👉 The value of the record, references my Cloudfront CDN distribution
        - !GetAtt CloudfrontCdn.DomainName
Enter fullscreen mode Exit fullscreen mode

In the Cloudfront resource, the same CNAME is set as the alias for the distribution, along with using the ARN of the cert under "ViewerCertificate" > "ArcmCertificateArn".

  CloudfrontCdn:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Aliases:
            # 👉 Here is where the subdomain is set as the alias
          - !Join [ "", [!Ref EnvironmentParam, ".guardianforge-r53.net"]]
        DefaultRootObject: index.html
        Origins:
          - Id: !Join ["-", ["S3-GuardianForge", !Ref EnvironmentParam]]
            DomainName: !GetAtt SiteBucket.RegionalDomainName
            OriginPath: "/app"
            S3OriginConfig:
              OriginAccessIdentity: ''
        DefaultCacheBehavior:
          TargetOriginId: !Join ["-", ["S3-GuardianForge", !Ref EnvironmentParam]]
          ViewerProtocolPolicy: redirect-to-https
          ForwardedValues:
            QueryString: false
          AllowedMethods:
            - HEAD
            - GET
          CachedMethods:
            - HEAD
            - GET
        CustomErrorResponses:
          - ErrorCode: 403
            ResponsePagePath: /index.html
            ResponseCode: '200'
            ErrorCachingMinTTL: 10
          - ErrorCode: 404
            ResponsePagePath: /index.html
            ResponseCode: '200'
            ErrorCachingMinTTL: 10
        Comment: !Join ["-", ["GuardianForge", !Ref EnvironmentParam]]
        PriceClass: PriceClass_All
        Enabled: true
        HttpVersion: http2
        ViewerCertificate:
            # 👉 And here is where the CertArnParam is used to use the SSL cert
          AcmCertificateArn: !Ref CertArnParam
          SslSupportMethod: sni-only
          MinimumProtocolVersion: TLSv1.2_2019
Enter fullscreen mode Exit fullscreen mode

🤗 If you are interested in more content like this and want to support me, consider joining my newsletter!

💖 💪 🙅 🚩
brianmmdev
Brian Morrison II

Posted on July 28, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related