These days, it’s challenging to imagine systems that have public API endpoints without TLS certificate protection. There are several ways to issue certificates:
- Paid wildcard certificates that can be bought from any big TLS provider
- Paid root certificates that sign all downstream certificates that are issued by corporate PKI systems
- Free certificates issued by TLS providers like LetsEncrypt or AWS Certificate Manager
- Self-signed certificates, issued by OpenSSL or another tool
Within the context of this post, I will mainly discuss free certificates that can be used inside of AWS, but not only by AWS services. Clearly, using anything other than AWS Certificate Manager makes no sense if you exclusively use managed AWS services and don’t have strict security requirements. AWS Certificate Manager offers a very convenient and speedy method of issuing certificates via DNS or HTTP challenges; however, you face basic AWS limitations if you need to use these certificates outside of AWS services (API Gateway, ALB, NLB, etc.), such as an EC2 instance running Nginx that needs a physical certificate file. Additionally, even if you request it, AWS Certificate Manager does not display the certificate content.