Bring your own SSL certificate to AWS Amplify Hosting

Introduction

Today, we’re excited to announce the general availability of Custom SSL Certificates on AWS Amplify Hosting. This feature introduces new capabilities for you to configure your Amplify domain to use your own SSL certificates from AWS Certificate Manager (ACM).

Amplify manages SSL/TLS certificates on your behalf to securely serve traffic to your domain over HTTPS, no matter if your app has 100 or 100,000 users. While our managed SSL certificates fit most of our customers’ use cases, some customers have requested the ability to associate their own certificates to their domains. The Custom SSL Certificates feature enables, but is not limited to, the following use cases on your Amplify domains:

• Using certificates issued by a third-party certificate authority (CA)
• Configuring your certificates’ TLS versions and the public key encryption algorithms for increased security strength
• Sharing a certificate across multiple fully qualified domain names (FQDNs), such as www.example.com and www.example.ne

Walkthrough

This blog post shows you how to request or import an ACM certificate and associate it with your Amplify domain, so that you can meet your IT compliance needs.

Prerequisites

Before starting this tutorial, you will need to take the following steps:

1. Deploy a web app on Amplify. For more information on building, deploying, and hosting a web app, refer to the AWS Amplify Hosting User Guide.
2. Have a custom domain. We recommend using a domain created with Amazon Route 53 to streamline the process of verifying ownership.
3. Associate your custom domain with your Amplify app. Learn how to set up custom domains with Amplify Hosting.

Provision an ACM certificate in us-east-1

There are two options to provision an ACM certificate for use with Amplify:

• Request a new certificate in ACM
• Import an existing certificate from a third-party certificate authority

You must provision the certificate in the US East (N. Virginia) Region (us-east-1). For more information, refer to the Amazon CloudFront Developer Guide.

Request a new certificate

Visit the us-east-1 ACM console and choose Request a certificate.

Select Request a public certificate and choose Next. Note that private certificates are not supported on Amplify domains.

Under Fully qualified domain name, enter both your root domain name (such as example.com) and the wildcard subdomain name (such as *.example.com). The wildcard subdomain name is required for the certificate to work with any subdomains that you configure on your Amplify domain.

Enter your desired settings for Validation method, Key algorithm, and Tags, then choose Request.

Your ACM certificate is now provisioned. Choose View certificate in the banner to see the next steps to verify domain ownership.

If your custom domain was created in Route 53 in the same AWS account, choose Create records in Route 53.

Choose Create records. This will create CNAME records in your custom domain’s Route 53 hosted zone so that ACM can verify that you own the domain.

If your domain was created with a third-party domain registrar and not Route 53, you will need to manually add these CNAME records. For more information, refer to your domain registrar’s documentation.

After a few moments, you will see that the certificate was issued and that domain verification was successful.

Import an existing certificate

If you already have a certificate issued by a third-party CA, choose Import a certificate. Your third-party certificate must specify both your root domain name (such as example.com) and the wildcard subdomain name (such as *.example.com). The wildcard subdomain name is required for the certificate to work with any subdomains that you configure on your Amplify domain.

Enter the Certificate body, Certificate private key, and Certificate chain (if applicable), then choose Next. You may add tags at this step as well.

Choose Import.

Your imported certificate is now provisioned in ACM.

Use the ACM certificate with your Amplify domain

On the Amplify Domain management page, find your custom domain and choose Manage domain.

Under Choose your certificate, select Custom SSL certificate and select your certificate in the dropdown menu, then choose Update. Make sure that the certificate ID corresponds to the certificate that you provisioned in ACM for this tutorial.

Amplify will begin the process of associating your ACM certificate with your domain, and will display the status of the association.

Cleanup

Use an Amplify-managed certificate with your Amplify domain

You may decide to switch back to using an Amplify-managed certificate instead of a custom SSL certificate. On the Amplify Domain management page, find your custom domain and choose Manage domain.

The AWS Amplify Hosting “Domain management” page. There is a “Manage domain” button in the top right of the olileung.people.aws.dev custom domain box.

Under Choose your certificate, select Amplify managed certificate, then choose Update.

Amplify will begin the process of replacing your ACM certificate with an Amplify-managed certificate on your domain, and will display the status of the update.

Delete your ACM certificate

You may optionally delete your ACM certificate. On the ACM page for your certificate, ensure that the certificate is not in use, then choose Delete.

In the popup, type “delete” and choose Delete. Your certificate will now be deleted from ACM.

Conclusion

In this blog post, we showed you how to request or import an ACM certificate and associate it with your Amplify domain. This allows you to have greater control over your domain and IT compliance needs.

If you imported a certificate from a third-party certificate provider, you will need to reimport the certificate before it expires. For more information, refer to the ACM User Guide on reimporting certificates.

The certificate that you associated to your Amplify domain will secure any of its subdomains. For more information, refer to the Amplify Hosting User Guide on managing subdomains.

Lastly, Deploy your Next.js, Nuxt, React, Angular, Vue, Next.js, or other frontend app in the Amplify Console, and join our community Discord to let us know what you think!

About the Authors:

Oliver Leung, Software Development Engineer, Amplify Hosting

Oliver Leung is a Software Development Engineer (SDE) at AWS Amplify Hosting. Oliver builds features that make it easier for customers to host front-end web applications backed by the reliability and convenience of AWS. In his free time, he enjoys playing the alto saxophone for the Amazon Jazz Band, and playing taiko (Japanese drums) with Inochi Taiko.

Matt Auerbach, Senior Product Manager, Amplify Hosting

Matt Auerbach is a NYC-based Product Manager on the AWS Amplify Team. He educates developers regarding products and offerings, and acts as the primary point of contact for assistance and feedback. Matt is a mild-mannered programmer who enjoys using technology to solve problems and making people’s lives easier. B night, however…well he does pretty much the same thing. You can find Matt on Twitter @mauerbac. He previously worked in Developer Relations at Twitch, Optimizely & Twilio.