Is AWS Certificate Manager a Potential Game Changer?

ACM now allows you to deploy an Amazon issued SSL certificate to your Elastic Load Balancer or your CloudFront Distribution

Amazon Web Services announced AWS Certificate Manager (ACM, and keeping with their flip flop tradition of prefixing stuff with either AWS or Amazon), and there was much rejoicing.

ACM now allows you to deploy an Amazon issued SSL certificate to your Elastic Load Balancer or your CloudFront Distribution, and the bit that has everyone excited is that AWS is not charging for the SSL certificates!

So... how do they not charge for certificates? Companies like Symantec charge a small fortune for SSL certificates. Simple. Amazon have set up their own Certificate Authority called Amazon Trust Services LLC (https://www.amazontrust.com).

This is actually quite a big thing, as it now enables Amazon to issue certificates at no third party costs to themselves, which dramatically reduces their overall cost to issue a certificate. When you change the economics behind an action, you change the behaviour that action drives.

To put it simply, now that it’s free to get an SSL certificate from Amazon (and LetsEncrypt) no-one should be running a site without SSL. If you’re an AWS customer, not only is the certificate free, setting up SSL is now a trivial event thanks to ACM. So the immediate action this should drive is a safer internet, well at least a more encrypted internet. Reducing the cost, and ease of deployment of a certificate will drive greater ubiquity of SSL certificates.

SSL ALL OF THE THINGS!!

There is more to it though than free and easy SSL certificates for your website. If you dig a little deeper into Amazon Trust Services LLC, you’ll pretty soon get the picture that ACM for ELB and Cloudfront is just the start.

Amazon Trust Services operates five root certificate authorities.

Amazon Root CA 1 — SHA-256 with 2048 bit key

Amazon Root CA 2 — SHA-384 with 4096 bit key

Amazon Root CA 3 — ECC P-256 (Elliptic curve ... also known as NIST P-256)

Amazon Root CA 4 — ECC P-384 (Elliptic curve ... also known as NIST P-384)

Starfield Services Root Certificate Authority-G2 — SHA-256 with 2048 bit key

Today, ACM only issues RSA 2048 bit keys from Amazon Root CA 1. Amazon Root CA 1 is recognised by browsers as a trusted CA as it is cross signed by Starfield Services Root Certificate Authority-G2, which in turn is cross-signed by the Starfield Class 2 Certification Authority.

Essentially Amazon Root CA 1 is piggy backing off the Starfield Services Root Certificate Authority-G2 which in turn piggy backs off Starfield Class 2 Certification Authority. The Starfield Services Root Certificate Authority-G2 in fact cross-signs the other 4 Amazon owned CAs.

Starfield is a subsiduary of GoDaddy, and a separate entity to Amazon altogether. What does get interesting is in the Mozilla list of included certificates in their certificate store is that Amazon are listed as the owner of the Starfield Services Root Certificate Authority-G2.

When looking at the Mozilla Certificate Store application, it becomes clear that Amazon has in fact purchased the Starfield Services Root Certificate Authority-G2 in June 2015.

This makes sense, as it is quite a drawn out process to get a Root CA added to all the trusted certificate stores used by various browsers and platforms. By purchasing a CA that is already in all the platform stores, it gives Amazon ubiquity across platforms immediately, and time to get their other CA’s approved.

In addition to the Starfield Services Root Certificate Authority-G2, Amazon has applied for another four CA’s to be on the approved list with Mozilla. A process that started in June 2015 and is still on going. The application process gives quite a bit of insight into what Amazon have applied for, and help us jump to wild conclusions.

So why is getting into the Mozilla CA Certificate Store so important? The Mozilla CA Certificate Store is used by Mozilla Network Security Services (NSS) and is the largest Root Certificate Program in Linux, and is used by products such as Google Chrome (EDIT: Only on Linux, on other platforms Chrome uses the platform store), and was the first open source cryptographic library to achieve FIPS-140 compliance. Getting all the Amazon Root CA’s into the Mozilla CA store opens up a host of other applications to trust an Amazon issued certificate.

So lets jump to some wild conclusions on where Amazon are going to take ACM, and the fact that they will have 5 Root CA’s on the Mozilla CA Certificate Store?

API Gateway — Already supports self-signed certificates, adding Amazon signed certificates wouldn’t be a stretch.

IoT — One of the biggest concerns today around IoT is security. Amazon can now ensure all communication between two devices is encrypted and/or signed by a trusted root CA. Issue a cert from a Root CA to every device? Why not?

WorkMail — WorkMail needs an edge, and could offer better security out the box than competitors with publicly signed emails as default.

WorkDocs — Publicly signed documents as standard? One way to securely share docs in a trusted way!

3rd Party Certificate Management — Today managing certificates in AWS issued by other organisations is not the easiest. Being able to add 3rd party certificates to ACM will ease the process, but also make it easy to replace existing certificates with AWS certificates when they expire.

Ultimately Amazon can ensure that communication between two untrusted parties can be encrypted and signed by Amazon as the trusted party in the middle. This becomes really powerful when they start to bake that capability into all of their services natively with an easy to use interface and a host of SDKs, whilst adding no cost to issue a certificate.

The biggest downside I see with Amazon running their own CA, and with ACM, is that it looks like Amazon will only allow you to issue certificates through ACM, which is coupled to the AWS platform. So you won’t be able to use those certificates on a competing CDN for example. It’s not complete lock in, but it would mean maintaining a separate set of non-AWS certificates for non-AWS services.

In the short term, until the four Amazon Root CA’s are in the Mozilla CA Certificate Store, don’t expect this to go beyond ACM for ELB and Cloudfront. Once the four Amazon Root CA’s are on the trusted list, expect ACM in everything.

Oh... and good luck to Symantec and their certificate business.

Ant Stanley

Update: Microsoft have added the AWS Root CA’s to their trusted CA store as of 21 January. More detail here and here.

A Cloud Guru

The mission of A Cloud Guru is to engage individuals in a journey to level-up their cloud computing skills by delivering the world’s leading educational content designed to evolve both mindsets and careers.

“Let no man in the world live in delusion. Without a Guru, none can cross over to the other shore.“ — Guru Nanak

Our courses are delivered by industry experts with a shared passion for cloud computing. We strive to serve our growing community of cloud gurus, who generously contribute their insights in our forums, workshops, meet-ups, and conferences.

Keep up with the A Cloud Guru crew @acloudguru.