AWS Same wildcard certificate in different regions

Question

Is it safe to request same wildcard certificate in different regions? I'm using one connected to production ELB in Ireland region, but I need the same in N.Virginia region to connect it to CloudFront.

Answer 1

If you request "the same" certificate from Amazon Certificate Manager more than once -- whether in the same region or across regions -- you will not actually be issued the same identical certificate multiple times. The multiple certificates will each have the same subjects and subject alternative names but they won't truly be "the same" certificate. They'll have different private keys and ARNs.

There are no security implications for requesting certificates with the same subject (domain) across regions, because the two certs have nothing in common.

Note that if you are using HPKP then you'll need to account for the existence of multiple valid public keys. Pinning ACM-issued certs is not recommended and apparently, pinning is now deprecated at any rate.

Also, be sure to use DNS validation for your certificates whenever possible, whether you're using certs in multiple regions, or not. Automatic annual renewal of the certificates may not work as anticipated if you use email validation, particularly when certificates for same domain(s) are created in multiple regions or the certificate is in a single region but is a cert for the wildcard domain, only. You may have to manually acknowledge renewal emails in these and other cases, if you don't use DNS validation. (This is not a limitation in the service per se. Auto-renewal of email-validated certs requires that the service verify that the domain names listed on the cert are actually using the cert on the Internet, and ACM needs to validate this using no internal information.)

DNS validation was introduced after ACM became available, so if you have existing certs issued by ACM prior to the release of this feature, you should consider creating new certs with DNS validation, and switching over to them.

Answer 2

The security does not deal with the certificate, but deals with the private key level of privacy.

Suppose you have 2 certificates with distinct keys for the same FQDN (wildcard or not), one in N Virginia, the other in Ireland.

If your private key is stolen in N. Virginia, a Man-in-the-Middle Attack can be done to decrypt communication contents with any of your services: the one in N Virginia and the one in Ireland. So, having different certificates and private keys does not change anything.

BUT if you are using cipher suites without the PFS property (see https://en.wikipedia.org/wiki/Forward_secrecy), the N Virginia private key will only allow to decrypt communications with N Virginia service. So, having different certificates and private keys does change your security level, in this situation.

Anyway, using AWS ELB and AWS CloudFront, AWS will know the private key, even if you have chosen to use your own one. Thus, your security does not depend on you. It depends on the way AWS will secure your private key, and you can't have informations about that: having a common private key in different regions may, or may not be less secure than having one key per region.

The only way to use AWS services with private keys not known by AWS is to use the CloudHSM AWS service, or to buy yourself a HSM and connect it to your AWS VPC. Unfortunately, to have a web service at AWS using this service, you need to install a web server on an EC2 instance, since CloudHSM and customer HSM are not compatible with ELB, nor CloudFront.

In your situation, you need to trust AWS.

Answer 3

Just to add to the answers.

When you create more than one certificate for the same domain in multiple AWS regions, the CNAME name and CNAME values for the certificates will still be the same.

So you only need to perform one DNS CNAME validation in your domain registry to use all the certificates, since the certificates have the same CNAME name and CNAME value.

Say you create a certificate in eu-west-1 and us-east-1 for *.example.com, you only need to add the CNAME name and CNAME value for the either of certificates, since the certificates have the same CNAME name and CNAME value.