The difference between AWS Certificates and Public CA Certificates

Using cloud-based platforms and services has become increasingly popular among businesses over the past few years, with Amazon Web Services (AWS) dominating the market. From website hosting and app development to storage and database management, AWS is a go-to source for those looking to dip their toe into the ever-expanding online space. 

Whether you opt for traditional computing or cloud-based computing, strong security should always be a top priority, particularly SSL/TLS security. Those using AWS services may have noticed that they can get an SSL certificate through AWS itself, which is a private Certificate Authority (CA), or a public CA like Sectigo. The best to go for will depend on your particular needs and whether you want a high level of assurance for your site. Much of it boils down to the differences between public and private CAs.

Read on to learn more about the ins and outs of CAs, AWS, and knowing what kind of CA to choose.

Certificate Authorities — public vs. private

CAs are the bodies in charge of signing, managing, issuing, and revoking SSL certificates. Public and private CAs have broadly the same components and perform similar duties. The most significant differences between the two are who they issue to, the types of networks they utilize, and the guidelines they follow.

Public CAs adhere to the rules and regulations laid out by the CA/Browser Forum, a consortium of CAs, web browsers, and operating systems. Public CAs ensure that public key infrastructure (PKI) works as it should, ensuring that HTTPS connections across public networks like the Internet are encrypted. Before issuing an SSL, public CAs will verify DNS information and may perform background checks on the requestor. They use specific cryptographic keys known as a root certificate to sign the certificate, which informs clients, such as web browsers, that a trusted entity has issued the certificate. 

Private CAs tend to issue certificates for use on private networks rather than public ones. Instead of following CA/Browser Forum guidelines, private CAs create their own standards for issuance and verification. Because of this, oftentimes SSL certificates issued by private CAs aren’t automatically trusted by major web browsers, and administrators are needed to configure any systems they connect with. 

How AWS certificates work

With AWS, you can use a service called AWS Certificate Manager (ACM) to deploy and manage SSL certificates for immediate use on ACM-integrated services. Unlike many private CAs, it offers both public and private SSL certificates. Its public SSL certificates, intended for securing public-facing websites, are free, while private SSLs, ideal for securing internal private networks, have a monthly fee. The major appeal of using ACM for AWS is speed and convenience — the user doesn’t need to deal with key pair generation, installation, or renewals because the certificate manager does it all for you. 

However, there are some limitations when it comes to ACM certificates. They cannot be used for email encryption, and high assurance certificates like organization and extended validation level certificates are not available, only domain validation. If you’re hosting your site on AWS, these may be factors to take into consideration before choosing your SSL provider.

Can public CA certificates be used on AWS?

They sure can. If you use AWS services and purchase an SSL from a public CA-partnered store like, you can use ACM to install it. By choosing a public CA SSL you’ll have the option of getting an OV or EV SSLs which authenticates your business or organization, providing a higher level of credibility to your users. This is particularly beneficial to e-commerce stores or sites that request personal information from users.

Wrap up

Whether you opt for ACM or a public CA will largely be dependent on your particular needs. IT teams seeking to secure internal resources might favor the speed and control granted by ACM certificates, while website owners on AWS might feel more comfortable with the higher level of assurance offered by public CA SSL certificates.

Share on Twitter, Facebook, Google+