What are AWS recommendions for cert owners who wish to increase RSA Key Size WITHOUT changing the ANR ?

0

When using 3rd party CA and would like to reimport certs to Certificate Manager with a higher RSA Key Size without changing the Cert ANR's so ELB's etc are not impacted.

Today, AWS restricts users from reimporting a new cert with a different RSA key size, i.e. "The key type and size cannot be changed." - https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html ? For example If using RSA 2048, you cannot reimport a new cert with RSA 4096 as it will fails, i.e. You can replace 2048 with 2048 and 4096 with 4096, but not replace a 2048 with 4096

Does AWS have recommendations on how to manage migrating certs with increased RSA Key Sizes ?

Thanks

1 Answer
0

I'm not working for AWS and don't speak for them, but based on general professional experience, I'd guess that one of the main reasons why the type or size can't be changed (whether using ACM-issued or imported certificates) is that the many services that use the certificates, such as load balancers or CloudFront distributions, probably require being notified and consulted on the certificate type changing. That might involve the target service confirming that it supports the new key type/size, that service-specific quotas aren't exceeded, that any restrictions that might be applied via IAM policies are properly enforced, and any number of other potential considerations.

For example, you could conceivably have your own custom IAM policy that would require that certificates developers associate with their load balancers or API Gateways meet certain type and size requirements. If ACM allowed the certificate to be changed to a different type in place, that check done by the ELB or API Gateway services would get silently bypassed, directly conflicting with the option of applying such policy-based enforcements in an integrated service.

As you discovered, you'll have to create new certificates either issued by ACM or imported from an external CA and tell the associated services, such as load balancers and CloudFront distributions, to switch to the new certificates. You can see in each certificate's properties in ACM which services are using it.

EXPERT
Leo K
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions