Jim*_*ugh 5 java ssl-certificate amazon-web-services spring-boot
I purchased the domain name 'jimtough.org' directly from Amazon so I could use it with a Cloudfront distribution. Now I have a very simple vanity site at https://jimtough.org/ that uses the certificate. I also played around with AWS API Gateway and confirmed that I can use the same certificate to provide HTTPS secured URLs to work with API Gateway.
I am also running a Java/Spring Boot web application on an EC2 server. I have already associated a Route53 DNS name with the EC2 server that hosts my Spring Boot application, like this: http://instance-b.jimtough.org/. This works, but it is using unsecured HTTP. I get a bunch of warnings when I try to do basic authentication in the application, since it would be sending my username/password via an insecure connection. Fair enough.
So my next step is to enable HTTPS in Spring Security and force secure connections to the application. In order to do this, I first need to provide a certificate for the Java runtime on the EC2 host to use. I found examples of how to do so with a self-signed certificate:
Unfortunately, using a self-signed certificate is not what I'm looking for. I want the user to be able to browse my static content vanity site first (https://jimtough.org/), and then follow a link to my web app and keep using the same site certificate (my AWS-issued cert) for my Spring web app.
QUESTION: How can I use my AWS-issued certificate with my Java-based web application?
Inside the AWS Certificate Manager (https://console.aws.amazon.com/acm/home?region=us-east-1#/), I don't see any way to 'export' or save my certificate. Am I missing something? Maybe Amazon doesn't want me to use this certificate outside of their own services?
Note that I did originally set up the certificate with the domain name as 'jimtough.org' and the Additional Names field set to '*.jimtough.org' so I can use the certificate on sub-domains as I'm trying to do here.
EDIT
The accepted answer from julien-b is correct. I did some more research and found that SSL certificates aren't cheap, and come in different flavors. The cheapest is the 'DV' (Domain Validation) type, which only verifies that the SSL certificate is controlled by someone who also controls the DNS record for the associated domain (such as 'mydomain.com'). There are much more thorough (and expensive) certificate types that can be issued, where the issuer has to do background checks on the owning organization. Those are meant for sites that handle e-commerce, financial transactions, etc. Not at all what I need.
还有多种类型的多站点证书可供选择。最便宜的单域证书仅涵盖您的主域和“www”子域( mysite.com 和www.mysite.com)。如果您希望覆盖主域的所有子域(app.mysite.com、ftp.mysite.com 等),那么您将需要“通配符”证书。这些要贵得多。更奇特的证书类型可以覆盖多个不同的域。这些似乎旨在使管理许多不同域且不需要为每个域使用不同证书的组织更轻松地进行证书管理。不是我需要的,所以我没有进一步调查。
我决定使用 Comodo(最近更名为 Sectigo?)的“带有子域通配符的单域”证书,该证书目前看来是最实惠的证书供应商。
参考: https: //www.techradar.com/news/best-ssl-certificate-provider
对于亚马逊来说,他们没有参与这场游戏并付费发行自己的 SSL 证书,这似乎是一个错失的机会。AWS 已经具备了执行此操作所需的所有基础设施,至少对于 DV 级别的证书而言是如此。
您无法导出公共信任的 ACM 证书的私钥。您可以将 ACM 证书与某些托管服务结合使用,但它并不适用于所有用例。
https://docs.aws.amazon.com/acm/latest/userguide/export-private.html
AWS Certificate Manager 与其他 AWS 服务集成,因此您可以预置 SSL/TLS 证书并将其与您的 Elastic Load Balancer、Amazon CloudFront 分配或 Amazon API Gateway 中的 API 一起部署。AWS Certificate Manager 还与 AWS Elastic Beanstalk 和 AWS CloudFormation 配合使用公共电子邮件验证证书,以帮助您管理公共证书并将其与 AWS 云中的应用程序一起使用。
https://aws.amazon.com/certificate-manager/features/?nc=sn&loc=2
如果您想在未与 ACM 集成甚至本地部署的服务上使用证书,则应从其他来源获取证书。
至于 ACM 私有 CA,它旨在在组织内使用,因此与您的用例不匹配。
https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html
| 归档时间: |
|
| 查看次数: |
2922 次 |
| 最近记录: |