Skip to content

Certificate Management

AWS Certificate Manager

Why AWS Certificate Manager (ACM)❓

As stated at the official AWS website

"AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources. SSL/TLS certificates are used to secure network communications and establish the identity of websites over the Internet as well as resources on private networks. AWS Certificate Manager removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates."

"With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as:

  • Elastic Load Balancers,
  • Amazon CloudFront distributions,
  • and APIs on API Gateway,

and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally. Public and private certificates provisioned through AWS Certificate Manager for use with ACM-integrated services are free. You pay only for the AWS resources you create to run your application. With AWS Certificate Manager Private Certificate Authority, you pay monthly for the operation of the private CA and for the private certificates you issue."


Figure: AWS certificate manager (ACM) service integration diagram. (Source: AWS, "Amazon Certificate Manager intro diagram", AWS Documentation Amazon ACM User Guide, accessed August 4th 2021).

Cert-manager + Let's Encrypt

Why Cert-manager + Let's Encrypt❓

  • cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates.

  • It can issue certificates from a variety of supported sources, including Let’s Encrypt, HashiCorp Vault, and Venafi as well as private PKI.

  • It will ensure certificates are valid and up to date, and attempt to renew certificates at a configured time before expiry.

  • It is loosely based upon the work of kube-lego and has borrowed some wisdom from other similar projects such as kube-cert-manager.


Figure: Certificate manager high level components architecture diagram. (Source: Cert-manager official documentation, "Cert-manager manager intro overview", Cert-manager Documentation main intro section, accessed August 4th 2021).