Bring Your Own Certificate (BYOC) for VPC Lattice
To serve HTTPS requests, you must have your own SSL/TLS certificate ready in AWS Certificate Manager (ACM) before you set up a custom domain name. These certificates must have a Subject Alternate Name (SAN) or Common Name (CN) that matches the custom domain name for your service. If the SAN is present, we check for a match only in the SAN list. If the SAN is absent, we check for a match in the CN.
VPC Lattice serves HTTPS requests using Server Name Indication (SNI). DNS routes the HTTPS request to your VPC Lattice service based on the custom domain name and the certificate that matches this domain name. To request an SSL/TLS certificate for a domain name in ACM or import one into ACM, see Issuing and Managing Certificates and Importing certificates in the AWS Certificate Manager User Guide. If you can't request or import your own certificate in ACM, use the domain name and certificate generated by VPC Lattice.
VPC Lattice accepts only one custom certificate per service. However, you can use a custom certificate for multiple custom domains. This means that you can use the same certificate for all VPC Lattice services that you create with a custom domain name.
To view your certificate using the ACM console, open Certificates, and select your certificate ID. You should see the VPC Lattice service that is associated with that certificate under Associated resource.
Limitations and considerations
-
VPC Lattice allows wildcard matches that are one level deep in the Subject Alternate Name (SAN) or Common Name (CN) of the associated certificate. For example, if you create a service with the custom domain name
parking.example.comand associate your own certificate with the SAN*.example.com. When a request comes in forparking.example.com, VPC Lattice matches the SAN to any domain name with the apex domainexample.com. However, if you have the custom domainparking.different.example.comand your certificate has the SAN*.example.com, the request fails. -
VPC Lattice supports one level of wildcard domain match. This means that a wildcard can be used only as a first-level subdomain, and that it only secures one subdomain level. For example, if your certificate's SAN is
*.example.com, thenparking.*.example.comis not supported. -
VPC Lattice supports one wildcard per domain name. This means that
*.*.example.comis not valid. For more information, see Request a public certificate in the AWS Certificate Manager User Guide. -
VPC Lattice only supports certificates with 2048-bit RSA keys.
-
The SSL/TLS certificate in ACM must be in the same Region as the VPC Lattice service you're associating it with.
Securing your certificate's private key
When you request an SSL/TLS certificate using ACM, ACM generates a public/private key pair. When you import a certificate, you generate the key pair. The public key becomes part of the certificate. To safely store the private key, ACM creates another key using AWS KMS, called the KMS key, with the alias aws/acm. AWS KMS uses this key to encrypt your certificate’s private key. For more information, see Data protection in AWS Certificate Manager in the AWS Certificate Manager User Guide.
VPC Lattice uses AWS TLS Connection Manager, a service that is only accessible only to AWS services, to secure and use your certificate's private keys. When you use your ACM certificate to create a VPC Lattice service, VPC Lattice associates your certificate with AWS TLS Connection Manager. We do this by creating a grant in AWS KMS against your AWS managed key. This grant allows TLS Connection Manager to use AWS KMS to decrypt your certificate's private key. TLS Connection Manager uses the certificate and the decrypted (plaintext) private key to establish a secure connection (SSL/TLS session) with clients of VPC Lattice services. When the certificate is disassociated from a VPC Lattice service, the grant is retired. For more information, see Grants in the AWS Key Management Service Developer Guide.
For more information, see Encryption at rest.
