I'm working with EC2 instances that act as JMS consumers, and I need them to communicate with a JMS queue hosted on an on-premises server. The server requires a two-way SSL connection for this integration. Since these EC2 instances will be part of an auto-scaling group for high availability, generating a new SSL certificate for each instance isn't feasible. Is there a way to use a single SSL certificate for all instances so that I don't have to create new certificates each time an instance is added to the auto-scaling group?
7 Answers
You might want to look into storing a client certificate in Secrets Manager. Each EC2 instance could access it on launch to ensure security. If you need something more secure, consider using KMS to handle your certificate requests, but that might be excessive for your needs.
Just a thought—storing certs in SSM Parameter Store with appropriate permissions for the EC2 roles could help, along with a startup command to securely fetch them. S3 seems risky if there's a private key involved.
If your EC2 instances are connecting to a JMS queue using mTLS, they indeed need access to the SSL certificate and private key to identify themselves. Storing those in Secrets Manager or ACM is a solid approach, ensuring your instances can access them during startup securely.
Another option could be to place the instances behind a load balancer and manage the certificate there, but that might not fit your outgoing connection needs well. Wildcard certificates could be worth considering, but typically it's best with a load balancer.
Have you thought about using AWS Certificate Manager (ACM) to generate your certificates? You could attach the certificate to an Application Load Balancer (ALB) in front of your instances, which means you’d avoid managing TLS on each instance directly—much easier!
ALB is more for incoming traffic, right? The EC2s are fetching messages, not serving content.
You can store a single certificate in S3 and then use a startup script (user data) to automatically load it when each instance starts up. This way, you won’t need to manually generate new certificates for every instance.
Definitely consider using Secrets Manager or SSM Parameter Store for managing the certificate too!
Good idea! But what should the common name be for the cert? I tried using something like 'jms-consumer', but it got rejected since there's no associated domain.
You could also save the certificate in S3 and retrieve it using a userdata script during instance startup. Just be cautious if the certificate has a private key—maybe think twice before using S3 for that.
What do you think the common name should be for the certificate?
But don’t your instances need to connect directly to process the queue? Seems like they wouldn’t be handling HTTP requests directly.