0

We have everything for our infrastructure setup in us-west-2. We have a ssl cert setup in us-east-1. It's required to be in this region by API Gateway.

In us-west-2 we are using the certificate in API Gateway just fine. We would like to use it on our ELB as well. But the ELB requires the ACM certificate to be in the same region.

The certificate is a *.domain.com so it works with all our subdomains. What is the proper way to use the certificate with both API Gateway and ELB?

Jamie Starke
  • 8,776
  • 3
  • 38
  • 58
Justin808
  • 20,859
  • 46
  • 160
  • 265

1 Answers1

3

This is a scenario that I've come across many times. API Gateway with ACM actually creates a CloudFront Distribution behind the scenes (See Set up Custom Domain Name for API Host Name). CloudFront runs out of AWS Global, which is in the us-east-1 region.

The limitation here is that ELB requires the certificate to be in the same region as the ELB.

The good news is that you can create a second wildcard certificate in us-west-2 and use that in the ELB, as ACM doesn't care about duplicate domains across certificates.

If you absolutely need the ELB and API Gateway to use the same certificate, the only option I'm aware of would be to move your infrastructure into us-east-1. Having two certificates seems like the much better option in my opinion.

Jamie Starke
  • 8,776
  • 3
  • 38
  • 58
  • "duplicate certificates across regions". Will this generate the same certificate or creates a different certificate? Since encryption done with one public cannot be decrypted with a different private key, eventhough they belong to the same domain. – Kannaiyan Sep 13 '17 at 18:48
  • Each certificate is used in a specific context, and the public key is shared during the handshake. It's not like someone is going to take ELBs public key, go over to API Gateway, and try to decrypt data from it. But all of the certificates are signed for the same domains. – Jamie Starke Sep 13 '17 at 18:57
  • That said, if the client is pinning the certificate, then @Kannaiyan is right, and you will need to have a single certificate, but that goes to my final point, that if you absolutely need them to use a single certificate, then `us-east-1` is your only option at this time. – Jamie Starke Sep 13 '17 at 19:07
  • 1
    Using HPKP with ACM-issued certs would be a mistake in any event, since you don't have control of the private key. – Michael - sqlbot Sep 13 '17 at 21:51