How to Export SSL Certificates from AWS Certificate Manager for Off-AWS Deployment


3 views

AWS Certificate Manager (ACM) is designed primarily for AWS-integrated services, which means certificates can't be directly downloaded when created in ACM. This becomes problematic when you need to deploy certificates on non-AWS services like:

  • On-premises servers
  • Enterprise Git instances (like your case)
  • Hybrid cloud environments
  • Non-AWS cloud providers

The most reliable method is to recreate the certificate outside ACM using OpenSSL, then apply it to your target service. Here's how to get the required certificate chain:

# First, get the certificate ARN
aws acm list-certificates --query 'CertificateSummaryList[?DomainName==*.example-private.com].CertificateArn' --output text

# Then describe the certificate details
CERT_ARN=$(aws acm list-certificates --query 'CertificateSummaryList[?DomainName==*.example-private.com].CertificateArn' --output text)
aws acm describe-certificate --certificate-arn $CERT_ARN

You'll need to manually create the certificate files:

# Create certificate file (PEM format)
cat > example-private.crt << 'EOF'
-----BEGIN CERTIFICATE-----
[Your certificate content from AWS]
-----END CERTIFICATE-----
EOF

# Create private key file (if you have it)
cat > example-private.key << 'EOF'
-----BEGIN RSA PRIVATE KEY-----
[Your private key content]
-----END RSA PRIVATE KEY-----
EOF

# Create chain file
cat > example-private.ca-bundle << 'EOF'
-----BEGIN CERTIFICATE-----
[Intermediate certificate 1]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate certificate 2]
-----END CERTIFICATE-----
EOF

If your target is an EC2 instance, you can use ACM certificates via:

  1. ELB/ALB termination
  2. CloudFront distributions
  3. API Gateway

For example, in an ALB listener configuration:

aws elbv2 create-listener \
    --load-balancer-arn arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/name/id \
    --protocol HTTPS \
    --port 443 \
    --certificates CertificateArn=$CERT_ARN \
    --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:account-id:targetgroup/name/id

When handling certificates manually:

  • Set strict file permissions (400 for private keys)
  • Never commit certificates to version control
  • Use AWS Secrets Manager for storage if needed
  • Rotate certificates before expiration

Here's a bash script to automate the extraction of certificate details:

#!/bin/bash
DOMAIN="*.example-private.com"
CERT_ARN=$(aws acm list-certificates --query "CertificateSummaryList[?DomainName=='${DOMAIN}'].CertificateArn" --output text)

if [ -z "$CERT_ARN" ]; then
    echo "Certificate not found"
    exit 1
fi

aws acm get-certificate --certificate-arn $CERT_ARN \
    --query 'join(, [Certificate, CertificateChain])' \
    --output text > combined.crt

echo "Certificate saved to combined.crt"

When working with AWS Certificate Manager (ACM), you'll quickly notice it doesn't provide a direct download option for certificates. This becomes problematic when you need to deploy the certificate outside AWS, such as on:

  • On-premises servers
  • Enterprise Git instances (like in your case with *.example-private.com)
  • Hybrid cloud environments
  • Non-AWS services

Here's how to extract your wildcard certificate (*.example-private.com) from ACM:

Option 1: Using AWS CLI


# First, get the certificate ARN
aws acm list-certificates --query 'CertificateSummaryList[?DomainName==*.example-private.com].CertificateArn' --output text

# Then describe the certificate to get the body, chain and private key
aws acm get-certificate --certificate-arn YOUR_CERT_ARN --output json

Option 2: Via CloudFormation Export

Create a CloudFormation template that:


Resources:
  CertificateExport:
    Type: AWS::CertificateManager::Certificate
    Properties:
      DomainName: "*.example-private.com"
      ValidationMethod: DNS
Outputs:
  CertificateArn:
    Value: !Ref CertificateExport
    Export:
      Name: MyWildcardCert

If you frequently need certificates outside AWS, consider:

  • Using AWS Private CA (more expensive but allows exports)
  • Generating certificates separately with OpenSSL
  • Using AWS Lambda to automate certificate rotation

Remember that exporting certificates carries risks:

  • Private keys should never be stored in Git repositories
  • Use AWS Secrets Manager for secure storage
  • Implement proper IAM policies to restrict access

Once exported, configure your Git server (like GitLab) by:


# Nginx configuration example
server {
    listen 443 ssl;
    server_name git.example-private.com;
    
    ssl_certificate /etc/ssl/certs/git.crt;
    ssl_certificate_key /etc/ssl/private/git.key;
    ssl_trusted_certificate /etc/ssl/certs/ca-bundle.crt;
}