2

I don't want to use private CA and create private certificates. Is it possible to create public certificate using ACM for internal (NOT internet facing) ALB ? If yes then how can it be created ? As per below ACM FAQ looks like it should be possible but i am not able to figure out how can it be created ?

Q: Can I use public certificates for internal Elastic Load Balancing load balancers with no public internet access?

Yes, but you can also consider using ACM Private CA to issue private certificates that ACM can renew without validation. See Managed Renewal and Deployment for details about how ACM handles renewals for public certificates that are not reachable from the Internet and private certificates.

jellycsc
  • 10,904
  • 2
  • 15
  • 32
user10916892
  • 825
  • 12
  • 33

1 Answers1

2

You would have to add a Route53 private zone to your VPC that matches the domain name of the certificate, with an ALIAS record pointing at the load balancer that matches the FQDN in the SSL certificate. All connections to the internal load balancer would have to use that domain name in order for the load balancer to serve the certificate.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • I created private zone "services.company.local" and created an A record in route 53 "A.services.company.local" pointed to ALB. Now when i tried to create public certificate from ACM (for domain name value i tried both services.company.local and A.services.company.local), dns validation failed with "The status of this certificate request is "Failed". One or more domain names are not valid public domains." – user10916892 Aug 03 '21 at 04:17
  • Your question was about using a "public certificate" on a private load balancer. You need to create a certificate for a domain you own, and that needs to be the domain name you use in the private zone. – Mark B Aug 03 '21 at 12:11