Amazon has announced a new service called AWS Certificate Manager, offering free SSL/TLS certificates for AWS resources. Back in June, GeekWire reported that Amazon had applied to become a root certificate authority, and now it is clear what that application was for.
Secure Socket Layer (SSL) / Transport Security Layer (TLS) certificates enable encrypted communication over a network, most often between a web server and a web browser. These certificates are purchased from third-party certificate providers like Symantec, Comodo and RapidSSL and can cost $50 to hundreds of dollars, depending on the level of identity verification performed.
Offering free SSL certificates for AWS resources is going to grab the attention of developers. Many spend hundreds, if not thousands, of dollars each year to obtain and renew certificates. Now an AWS developer can add free certificates to run their applications on services like Elastic Load Balancer and Amazon CloudFront distributions.
The process of obtaining a new certificate has always been messy, requiring the generation of a Certificate Signing Request on the server being protected, sending that request to a certificate provider, and then installing the certificate once it is received. Since Amazon is managing the whole process, all of that goes away and certificates can be quickly issued and provisioned on AWS resources automatically.
Certificate renewal is another pain point that AWS hopes to solve. Tracking certificate renewal dates, making sure that payment methods are current and then installing the renewal certificate can be more painful that obtaining the original certificate. Many developers has mistakenly let a certificate lapse, bringing down their application for users.
There are limitations to the certificates. Amazon only provides domain validated certificates, a simple verification where domain validation takes place via email. Extended validation certificates are not available, so banks and other websites with sensitive personal data may stick with their current certificate providers. In addition, the certificates cannot be used for code signing or email encryption.
The move is smart, designed to increase developer loyalty and retention on AWS. It will be interesting to see if Microsoft and Google follow suit and add SSL certificate services to Azure and Cloud Platform.