amazon-web-servicessslcertificateamazon-cloudfrontaws-certificate-manager

AWS Same wildcard certificate in different regions


Is it safe to request same wildcard certificate in different regions? I'm using one connected to production ELB in Ireland region, but I need the same in N.Virginia region to connect it to CloudFront.


Solution

  • If you request "the same" certificate from Amazon Certificate Manager more than once -- whether in the same region or across regions -- you will not actually be issued the same identical certificate multiple times. The multiple certificates will each have the same subjects and subject alternative names but they won't truly be "the same" certificate. They'll have different private keys and ARNs.

    There are no security implications for requesting certificates with the same subject (domain) across regions, because the two certs have nothing in common.

    Note that if you are using HPKP then you'll need to account for the existence of multiple valid public keys. Pinning ACM-issued certs is not recommended and apparently, pinning is now deprecated at any rate.

    Also, be sure to use DNS validation for your certificates whenever possible, whether you're using certs in multiple regions, or not. Automatic annual renewal of the certificates may not work as anticipated if you use email validation, particularly when certificates for same domain(s) are created in multiple regions or the certificate is in a single region but is a cert for the wildcard domain, only. You may have to manually acknowledge renewal emails in these and other cases, if you don't use DNS validation. (This is not a limitation in the service per se. Auto-renewal of email-validated certs requires that the service verify that the domain names listed on the cert are actually using the cert on the Internet, and ACM needs to validate this using no internal information.)

    DNS validation was introduced after ACM became available, so if you have existing certs issued by ACM prior to the release of this feature, you should consider creating new certs with DNS validation, and switching over to them.