1 00:00:06,950 --> 00:00:09,800 Now let's review SSL certificates. 2 00:00:09,800 --> 00:00:13,430 Within AWS, we have the ability to 3 00:00:13,430 --> 00:00:15,800 import or create certificates 4 00:00:15,800 --> 00:00:17,990 with the AWS Certificate Manager. 5 00:00:17,990 --> 00:00:21,860 So, the Certificate Manager does allow us to create 6 00:00:21,860 --> 00:00:26,060 free SSL certificates including wildcards. 7 00:00:26,060 --> 00:00:28,860 Now, the certificates that are created within 8 00:00:28,860 --> 00:00:32,270 the certificate Manager will automatically renew. 9 00:00:32,270 --> 00:00:35,884 And because Starfield is the root authority, 10 00:00:35,884 --> 00:00:40,260 Amazon is an intermediate authority, then these certificates 11 00:00:40,260 --> 00:00:43,820 are trusted in the major browsers and clients. 12 00:00:43,820 --> 00:00:47,210 Now, we can import existing certificates. 13 00:00:47,210 --> 00:00:50,940 If you already have certificates that you've purchased 14 00:00:50,940 --> 00:00:54,364 and created through something like Verisign or Komodo, 15 00:00:54,364 --> 00:00:57,010 then you can import those, 16 00:00:57,010 --> 00:00:59,320 but it's important to keep in mind that 17 00:00:59,320 --> 00:01:02,230 the certificate manager will not be able to renew those. 18 00:01:02,230 --> 00:01:05,410 You can renew them at Verisign or Komodo, 19 00:01:05,410 --> 00:01:08,970 wherever they are, and then re-import them and replace 20 00:01:08,970 --> 00:01:11,510 those certificates in the certificate manager. 21 00:01:11,510 --> 00:01:14,760 Either way, wherever your certificates come from, 22 00:01:14,760 --> 00:01:17,670 the certificate manager can automatically deploy 23 00:01:17,670 --> 00:01:21,820 those certificates to your Elastic Load Balancers, 24 00:01:21,820 --> 00:01:24,470 to your CloudFront distributions, 25 00:01:24,470 --> 00:01:26,570 to API Gateways. 26 00:01:26,570 --> 00:01:30,060 And so the great benefit of that is that 27 00:01:30,060 --> 00:01:33,930 we no longer have to really be worried about 28 00:01:33,930 --> 00:01:35,900 the underlying drudgery 29 00:01:35,900 --> 00:01:39,370 of having to renew and re-key 30 00:01:39,370 --> 00:01:42,380 and re-deploy those certificates 31 00:01:42,380 --> 00:01:45,830 to our various servers and applications. 32 00:01:45,830 --> 00:01:50,830 So, I have done plenty of that in my career, and 33 00:01:51,714 --> 00:01:55,890 it's not hard re-keying a certificate that expires 34 00:01:55,890 --> 00:02:00,080 and downloading a new certificate and then ensuring that 35 00:02:00,080 --> 00:02:03,820 that certificate is installed in Apache or Nginx, 36 00:02:03,820 --> 00:02:05,270 or something that's configured. 37 00:02:05,270 --> 00:02:07,320 It's not hard but it is tedious, 38 00:02:07,320 --> 00:02:10,900 and it's one of those things that's fun the first time, 39 00:02:10,900 --> 00:02:13,560 then just quickly becomes a chore, right? 40 00:02:13,560 --> 00:02:16,810 So we can get away from all of that by using something 41 00:02:16,810 --> 00:02:18,353 like the Certificate Manager. 42 00:02:20,332 --> 00:02:23,460 Here, you can see that we have several different components. 43 00:02:23,460 --> 00:02:27,203 We have a CloudFront up here. 44 00:02:31,080 --> 00:02:34,900 We have our CloudFront edge location, 45 00:02:34,900 --> 00:02:38,380 and we have our Load Balancer. 46 00:02:38,380 --> 00:02:41,220 We have an EC2 instance, and of course we have 47 00:02:41,220 --> 00:02:43,093 the API Gateway. 48 00:02:45,050 --> 00:02:48,510 The certificate manager, like we've said, can deploy 49 00:02:48,510 --> 00:02:52,872 our certificates directly to CloudFront edge locations. 50 00:02:52,872 --> 00:02:56,235 It can deploy certificates to our load balancer, 51 00:02:56,235 --> 00:02:59,160 and to API Gateway. 52 00:02:59,160 --> 00:03:04,160 Now, in many times, you need true end to end encryption. 53 00:03:04,730 --> 00:03:08,550 If your users are going through CloudFront, 54 00:03:08,550 --> 00:03:11,940 through your Load Balancer, to your back-end instance, 55 00:03:11,940 --> 00:03:13,790 then we need, in many cases, 56 00:03:13,790 --> 00:03:16,534 like for PCI Compliance or other types of 57 00:03:16,534 --> 00:03:19,270 legal or regulatory compliance, 58 00:03:19,270 --> 00:03:20,913 we need end to end encryption. 59 00:03:22,180 --> 00:03:25,690 It's important to keep in mind that the certificate manager 60 00:03:25,690 --> 00:03:29,910 cannot deploy certificates to EC2. 61 00:03:29,910 --> 00:03:32,980 It's also worth noting that of course, 62 00:03:32,980 --> 00:03:37,980 our users and their clients will require for that connection 63 00:03:38,050 --> 00:03:42,520 between the users and CloudFront, browsers would require 64 00:03:42,520 --> 00:03:43,883 a trusted certificate. 65 00:03:44,900 --> 00:03:49,900 Between CloudFront and our EC2 instance, 66 00:03:50,470 --> 00:03:52,770 CloudFront would require... 67 00:03:55,008 --> 00:03:59,700 or between CloudFront and API Gateway, that connection 68 00:03:59,700 --> 00:04:02,963 would also require a trusted certificate. 69 00:04:05,380 --> 00:04:09,601 Between the load balancer and EC2, by default, 70 00:04:09,601 --> 00:04:14,050 the load balancer does not require a trusted certificate. 71 00:04:14,050 --> 00:04:19,050 It is possible to script as these EC2 instances 72 00:04:19,660 --> 00:04:22,940 come to life, if you're using something like auto-scaling. 73 00:04:22,940 --> 00:04:26,620 As these instances come to life, you can script them 74 00:04:26,620 --> 00:04:30,018 to create their own self-signed certificate. 75 00:04:30,018 --> 00:04:33,050 That way, you don't have to worry about getting 76 00:04:33,050 --> 00:04:35,270 your trusted certificate stored somewhere 77 00:04:35,270 --> 00:04:36,870 and then deployed to it. 78 00:04:36,870 --> 00:04:39,960 They can just create their own self-signed certificate. 79 00:04:39,960 --> 00:04:42,745 It would technically be untrusted, but again, 80 00:04:42,745 --> 00:04:45,227 this connection between the load balancer 81 00:04:45,227 --> 00:04:48,670 and the EC2 instance by default does not care. 82 00:04:48,670 --> 00:04:51,910 It will accept that untrusted certificate. 83 00:04:51,910 --> 00:04:55,730 So, keep that in mind that if you have a need 84 00:04:55,730 --> 00:05:00,730 to create and deploy SSL certificates, 85 00:05:00,790 --> 00:05:03,650 and you want to ensure those are always renewed 86 00:05:03,650 --> 00:05:06,350 and always deployed to various locations, 87 00:05:06,350 --> 00:05:09,290 then keep the Amazon Certificate Manager in mind