I'm working with EC2 instances that act as JMS consumers, reading messages from a JMS queue hosted on an on-premise server. This server requires a two-way SSL integration. The challenge is that these EC2 instances will be part of an auto-scaling group for high availability, and I need a solution that allows me to use a single SSL certificate instead of generating one for each new instance that is added to the group. Is there a way to achieve this? Thanks for your help!
5 Answers
It sounds like you need a client certificate for your setup. One option is to store the certificate in AWS Secrets Manager and download it to each EC2 instance when it launches. If you're looking for added security, you could create an RSA key in KMS, use it to request a cert, and implement mTLS handshake as needed, but that may be more complex than necessary.
Consider using ACM to generate your certs and then attach it to an Application Load Balancer (ALB) that fronts your instances. This way you won’t need to manage individual certs on the instances anymore, which makes things simpler.
Yeah, isn't the ALB mainly for incoming traffic? The EC2 instances won't be handling incoming requests like that.
For your use case, storing the private key and certificate in AWS Secrets Manager or the ACM may be best. The EC2 instances can be given the right permissions to pull these credentials when they start up, making management of them much easier.
Another approach is to keep the certificate in S3 and use it in the userdata script to get it onto the instance at startup. Just be cautious about including sensitive data like the private key in S3, though.
Right! If the private key is part of the certificate, I wouldn’t recommend storing it in S3 without strict access controls.
You can store your SSL certificate on S3 and include a startup script in the user data to load it when each instance starts up. This way, you only have to manage one cert.
Exactly, or you could also use Secrets Manager or SSM Parameter Store to keep the certificate secure and easily accessible.
Just a heads up, make sure that the common name you use in the certificate is correct. I tried using just 'jms-consumer' and my cert was rejected because there's no domain name linked to it.
But if your instances aren’t receiving HTTP requests but just pulling messages from the queue, wouldn’t ALB not help much?