Michael Black | Fri, 24 Mar 2017

Here at GorillaStack we've been using LetsEncrypt to issue SSL certificates for custom domains on AWS's API Gateway for all our Serverless projects. While we love this service, securing a custom domain for API Gateway required a time consuming, manual process to be repeated every time a certificate expired. That's why we were so excited by the recent announcement of API Gateways integration with ACM!

Below I'll give you a quick run down on the now simple process of requesting a certificate through ACM for your Serverless project (or otherwise!) custom domain without having to use LetsEncrypt.

It's worth noting from that start that you will need access to the email address registered to the custom domain. When requesting a certificate, ACM will send a verification email to the domain’s Registrant Email, to validate that the requestor has control over the domain.

Pro Tip: If you’re not sure which email address is registered to the domain, a quick `whois domain.com` will help you. In the terminal will show the Registrant Email, where ACM will send the verification request.

Requesting a Certificate Through ACM for your Serverless Project

Head to the ACM Console and click 'Request a Certificate' (or 'Get Started' if it's your first time using ACM). Enter the full domain you will be using for the project, or use a wildcard (\*) if you want the certificate to cover multiple sites under the domain e.g. '\*.example.com'. Click through 'Review and Request', 'Confirm and Request', and 'continue'. Check the Registrant address for the verification email, follow the link to Amazon Certificate Approvals, and click the 'I Approve' button.

The status of your certificate in ACM should change from pending to issued, and you're all done! You can now head to API Gateway and set up a custom domain as usual, only now you'll be able to quickly select your certificate from a dropdown menu! If you are updating an existing custom domain, click Edit, and check the 'Change Certificate' box to see the menu.

Pro Tip: Like all resources in AWS, your certificate will be tied to a unique ARN, which will be used to reference it from other AWS services. This ARN will persist through automatic renewals.

So there you have it, as long as ACM can continue to successfully establish an HTTPS connection with your domain, it will automatically renew the certificate. No more manually requesting, creating record sets for verification, or uploading certificates!