If I have an application that is running on AWS, can I pin that application to a certificate that was issued by AWS Certificate Manager (ACM)?

AWS does not recommend pinning your application to an SSL/TLS certificate. For more information about certificate pinning, see Certificate Pinning. If you pin a certificate, you provide a browser with an ID, or "pin," for the public key that is used for the website. If a user visits the website, the pin is cached by the browser, and that pin is then used to verify the public key during future visits. The pin information is usually included in the header in the HTTP response, and the pin information includes the time to live (TTL) for the pin. If the certificate changes, for example, when the certificate is renewed, that change might cause visitors to the website to receive an error, because a secure connection to the website can't be established.

If you must pin a certificate, we recommend that you pin to a certificate authority (CA) rather than to an individual certificate. If you pin a certificate to an Amazon Trust Services CA, be sure to pin to all CAs on the Amazon Trust Services table. If you pin a certificate, use one of the following options to be sure that the application can connect to the domain:

Pin your application to an Amazon root certificate

If you pin your application at the root certificate level, the Managed Renewal for ACM's Amazon-Issued Certificates renews the certificate under the same CA that issued the certificate, and the certificate Amazon Resource Name (ARN) remains the same. You can also pin your application to multiple CAs as backup pins, so if the certificate expires, you can request a new certificate and apply the certificate to your load balancer to reduce application downtime. For information about root certificates, certificate revocation list (CRL), Online Certificate Status Protocol (OCSP) responses, and other updates, see Amazon Trust Services.

Import your own certificate into ACM and pin your application to the imported certificate

Imported certificates are not renewed by the ACM-managed renewal process. You must manage the renewal of the certificate and keys. For more information, see Importing Certificates into AWS Certificate Manager.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-05-29