Skip to main content

Cornell University

IT@Cornell

AWS Certificate Manager

On This Page

Amazon Web Services (AWS) offers no-cost TLS certificates through the Amazon Web Services Certificate Manager (ACM) service. The CIT Cloudification team can assist Cornell AWS customers in using certificates in the context of various AWS services.

Certificates issued through ACM can be used only in conjunction with AWS services like Application Load Balancers and CloudFront. ACM does not provide certificate files for direct use on servers by Apache, for example. If you need actual certificate files for your servers, for use by Apache for example, see SSL Server Certificate.

The AWS Certificate Manager service offers:

  • Single domain certificate
  • Multi-domain: Secures up to 10 different domain names on a single certificate. This default limit can be adjusted to support up to 100 names.
  • Wildcard domain: Secures the domain and unlimited sub-domains of that domain (example: *.department.cornell.edu).

All ACM certificates are valid for 13 months, and are automatically renewed by AWS if certain criteria are met. ACM certificates can be integrated into many AWS services.

While people use the term “SSL certificate,” they probably really mean “TLS certificate.” SSL certificates are generally no longer used because of vulnerabilities. TLS is the replacement technology for SSL.

Benefits of TLS Certificates

  • User privacy and data integrity: data is encrypted as it moves over the network. It cannot be easily intercepted or altered.
  • Strong assurance of server authenticity: the certificate is signed by Amazon's certificate authority, which is one of a limited number of certificate authorities automatically trusted by major browsers.

Many major Internet sites have transitioned to using communication secured by certificates for all their pages. At minimum, you should use a certificate in any of the following cases:

  • Services that require users to authenticate.
  • Services that display or ask the user to provide any of the following types of data:
    • Protected by federal or state legislation (for example: medical histories, personal financial data, student visa status, social security numbers)
    • Sensitive or confidential (for example: University budgets, physical security infrastructure documents, vendor contracts)
  • When the ability to confirm the authenticity of the server is a requirement. For example, in a limited development environment a self-signed certificate may be acceptable. The corresponding production service, however, may require the assurance of a certificate signed by a globally-recognized certificate authority.

Note: If you are using an AWS service that doesn't support ACM certificates or need a different type of certificate, you may be able to use the InCommon Digital Certificate service. For more information, see SSL Server Certificate.

Support Contact:

Cornell IT Service Desk

Normal Business Hours: Monday-Friday, 8am-6pm (Eastern Time)
Emergency Service Disruptions: After Hours Support

Comments?

To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.