Developers with apps on Amazon Web Services (AWS) can now obtain their digital certificates directly from its own certificate authority (CA), Amazon Trust Services (ATS). And they’re free.
The new digital certificate service, AWS Certificate Manager, announced by AWS today, will offer developers free Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates straight from Amazon’s CA, ATS.
Obtaining those certificates is the first step to enabling an encrypted “HTTPS” connection between a server and client, such as a browser, which offer site visitors a little more protection from prying eyes.
Besides free certificates, AWS is promising to take the headache out of certificate provisioning, deployment and renewals. The catch is that those sites or applications must use AWS Elastic Load Balancing or its content delivery network, Amazon CloudFront.
AWS is just the latest to offer free digital certificates though its dominance in hosting apps and websites on its cloud means it’s likely to have a big impact.
Let’s Encrypt, another free digital certificate service backed by Mozilla and Facebook, offers a similar features to AWS but is available to all developers, not just those using AWS. CDN provider CloudFlare also offers free SSL certificates.
The service is likely to be attractive to developers on AWS. As Amazon notes, using its free certificates will offer developers’ apps or websites higher search rankings. Though it doesn’t mention Google specifically, the search provider now uses HTTPS as a positive signal in its search indexing.
Amazon’s FAQ for the service clarifies it currently does not offer Extended Validation certificates, which are usually the more expensive certificate due to a CA validating a site’s identity that triggers the green field behind a company’s name (as opposed to just the URL) in a browser’s address bar.
AWS also will not provide code-signing or email encryption certificates and does not provide them for anything but websites.
The ACM certificates themselves use RSA keys with a 2048-bit modulus and SHA-256, though they do not use elliptic curve digital signature algorithm (ECDSA) keys. CloudFlare’s SLL certificates by contrast does ECDSA keys, which ensures sites have Perfect Forward Secrecy — a feature that protects encrypted messages even if private SSL keys are compromised. EFF strongly urged PFS in the wake of 2014’s widespread Heartbleed bug.
Amazon’s CA plans have been in the making for some time. AWS applied to Mozilla and the Android Open Source Project to become a root CA last June.
According to Amazon, ACM will issue digital certificates once it’s validated that the applicant controls the domain names in the certificate request. That request remains in a “pending” status until the domain owner responds to an email Amazon sends to the registered domain owner for each domain.
Participate in CSO and Gigamon's survey on Security Priorities today!
Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.
For full terms and conditions click here.