How to import a public SSL certificate into AWS Certificate Manager
Introduction
This assumes you have already read how to configure DNS. Public certificates are typically created in the member/application account that uses them. For example, if your application runs behind an aws_lb_listener in the preproduction environment and you need to configure a certificate_arn, you will create the certificate in the preproduction account.
The domain modernisation-platform.service.justice.gov.uk is managed by the modernisation-platform team. All environments under this domain, such as my-application.nomis.hmpps-test.modernisation-platform.service.justice.gov.uk can create their own public certificates using AWS Certificate Manager. For information on DNS naming conventions refer to DNS naming.
The following domains are managed by the operations-engineering team (#ask-operations-engineering).
- justice.gov.uk
- service.justice.gov.uk
To request a public certificate under either of the above domains, refer to the corresponding section below, depending on whether you’re on Linux or Windows.
Linux
Refer to Requesting a new certificate.
Once you receive the public certificate, you can then import it into your environment by following the instructions in Getting certificates ready in AWS Certificate Manager.
Windows
If you are on Windows, refer to How to import a public SSL certificate into AWS Certificate Manager on Windows
Request process
- Submit a request with a certificate signing request to certificates@digital.justice.gov.uk
- Receive a reply from certificates@digital.justice.gov.uk with details of validation CNAME records.
- Apply the validation CNAME records to the appropriate Route53 domain.
- Inform certificates@digital.justice.gov.uk that the validation records have been created.
- certificates@digital.justice.gov.uk will respond with the certificate.