Can I pin an application that's running on AWS to a certificate that was issued by AWS Certificate Manager (ACM)?

Last updated: 2019-07-16

If I have an application that's running on AWS, can I pin that application to a certificate that was issued by AWS Certificate Manager (ACM)?

Short Description

AWS doesn't recommend pinning your application to an SSL/TLS certificate issued by ACM. If you pin a certificate, then you provide a browser with an ID for the public key that is used for the website. If a user visits the website, the pin is cached by the browser. That pin is also then used to verify the public key during future visits. The pin information is usually included in the header in the HTTP response and the time to live (TTL) for the pin. If the certificate changes, for example, when the certificate is renewed, then that change can cause visitors to the website to receive an error. This error occurs because a secure connection to the website can't be established. For more information, see Certificate Pinning.

Resolution

If you must pin an application to a certificate, it's a best practice that you pin to a certificate authority (CA) rather than to an individual certificate. If you pin an application to an Amazon Trust Services CA, be sure to pin the same application to all of the CAs on the Amazon Trust Services table.

Note: You must select all of the CAs that you pin your application to. This is because when you request a certificate, ACM does not specify where the certificate originates from.

To pin a certificate, use one of the following options to be sure that the application can connect to the domain.

Pin your application to an Amazon root certificate

If you pin your application at the root certificate level, then the Managed Renewal for ACM's Amazon-Issued Certificates renews the certificate under the same CA that issued the certificate. The certificate Amazon Resource Name (ARN) remains the same. You can also pin your application to multiple CAs as backup pins. If the certificate expires, you can request a new certificate and apply the certificate to your load balancer to reduce application downtime.  

Import your own certificate into ACM, and then pin your application to the imported certificate

Imported certificates aren't renewed by the ACM-managed renewal process. You must manage the renewal of the certificate and keys. For more information, see Importing Certificates into AWS Certificate Manager.


Did this article help you?

Anything we could improve?


Need more help?