24

I have a few AWS accounts where I manage DNS addresses and ACM SSL certificates. I have a top-level.com domain in one account and another account manages subdomain.top-level.com. I created some SSL certificates with ACM on the top account for example: example.subdomain.top-level.com. But now I'd like to use the same certificate in my subdomain account. Is there a way to share these certificates between my accounts?

Viccari
  • 9,029
  • 4
  • 43
  • 77
Amir Mehler
  • 4,140
  • 3
  • 27
  • 36
  • I'm not sure that AWS account is important. SSL certificate has "Subject" and "Subject Alternative Name" fields, which describes the DSN server(s) which can use the certificate. All servers, which DNS names corresponds the fields specified by "Subject" and "Subject Alternative Name" fields can uses/share the SSL certificate. The certificate can has for example `*.top-level.com` or `*.subdomain.top-level.com` names. Which field has the certificate which you plan to share between web servers? – Oleg Aug 28 '16 at 11:53
  • 1
    In ACM you can't "get" the certificate, you can only select it for specific AWS services. You never see the private key. So for example, you can use it in your AWS ELB but never on your "home made" nginx server, even if it's on EC2. – Amir Mehler Aug 28 '16 at 12:10
  • Sorry, but I can't follow you. First of all you can open some web site in some web browser and to examine the SSL certificate, which uses the server. The fields "Subject" and "Subject Alternative Name" are important. If the fields don't corresponds the second server then you can't use the certificate, but if the properties are OK then you can still have some technical problems with configuring inside of AWS ELB / ACM / EC2. – Oleg Aug 28 '16 at 12:15
  • Hi Oleg, ACM let's you generate certificates for your domains for "free". It's not that "free" because once a certificate is generated you can only use it within Amazon. They don't send you the certificate/key and **they generate the private key and CSR for you**. You only provide the domain name(s). Once ready, the certificate can only be used by AWS within AWS. – Amir Mehler Aug 28 '16 at 13:58
  • 1
    Why do you need an ACM certificate for the subdomain to be in a different account than the server hosting that subdomain? – Mark B Aug 28 '16 at 14:30
  • 5
    Because I'm one account is for production only and another is for staging. I need to run some wild automated tests in the staging account and I want it to be a reliable replica of the production account. Which in my case includes SSL certificate pinning. – Amir Mehler Sep 01 '16 at 10:42
  • Having the exact same issue, my main AWS Account has all the certificates for the production domains, and I have another Staging Account and I need to setup the certificate there – Vadorequest Sep 04 '18 at 13:54

1 Answers1

28

Reply from Amazon:

... Unfortunately it is not possible to share ACM certificates across accounts at this time.

But I got a hint that i'm not the only one asking. So it may be a feature in the future. And it will help people who support Certificate Pinning.

Amir Mehler
  • 4,140
  • 3
  • 27
  • 36
  • 3
    Can you get a separate ACM certificate for each account (for the same domain name)? – stepanian Jan 02 '17 at 11:32
  • 1
    I think so, but I didn't do it. I also delegated a DNS subdomain so I ended up with new domains to create certificates for. – Amir Mehler Jan 04 '17 at 11:44
  • 4
    Friends don't let friends pin certificates. – Ian Smith Jan 23 '20 at 22:53
  • 1
    Adding official doc for reference, https://aws.amazon.com/premiumsupport/knowledge-center/acm-export-certificate/ – Enigma Sep 25 '20 at 06:11
  • You can't share or export ACM certificates between accounts but you can create multiple ACM certificates for the same domain in different accounts. Only those certificates can be exported which are issued by the private CA. – zain ul abedin Jun 11 '22 at 18:07