Issue SSL Certificate in AWS Certificate Manager with Shell Script

Yoshihiro ITO
2 min readDec 26, 2020

--

Today, I introduce you to issue SSL certificate inAWS Certificate Manager (ACM) with a shell script.

Introduction

The procedure for issuing an SSL certificate in ACM is not a repetitive process, so I think many people create it manually without putting it in IaC. Although it is manual work, it is troublesome to do it every time with the management console, so I tried to script it using the AWS CLI.

How to issue certificate in ACM with AWS CLI

Before scripting it, let’s review how to issue a certificate with the AWS CLI.

Note: In this article I use AWS CLI v2, but you can also use v1.

1. Request issuing certificate

First, I request issuing certificate to ACM.

$ HOSTED_DOMAIN="<your-hosted-domain-name-on-route-53>"
$ TARGET_DOMAIN="<sub-domain-you-want-to-request>.${HOSTED_DOMAIN}"
$ aws acm request-certificate \
--domain-name ${TARGET_DOMAIN} \
--validation-method DNS

It will be needed the ARN of the requested certificate later, so set it in a variable CERT_ARN.

$ CERT_ARN=$( \
aws acm list-certificates \
--query "CertificateSummaryList[?DomainName=='${TARGET_DOMAIN}'].CertificateArn" \
--output text ) \
&& echo "${CERT_ARN}"

arn:aws:acm:us-east-1:************:certificate/d8009e70-XXXX-XXXX-XXXX-XXXXXXXXXXXX

2. Validate domain

Second, I create record set in Route 53 for validating domain. In this step, record set information for validating domain. So use acm describe-certificate command to get it.

$ VALIDATION_RECORD_NAME=$( \
aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Name" \
--output text) \
&& VALIDATION_RECORD_VALUE=$( \
aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Value" \
--output text) \
&& echo "
VALIDATION_RECORD_NAME = ${VALIDATION_RECORD_NAME}VALIDATION_RECORD_VALUE = ${VALIDATION_RECORD_VALUE}"

VALIDATION_RECORD_NAME
= _6709bba0b171XXXXXXXXXXXXXXXXXXXX.<your-domain>.
VALIDATION_RECORD_VALUE = _2166df0b8981XXXXXXXXXXXXXXXXXXXX.wggjkglgrm.acm-validations.aws.

And use route53 list-hosted-zones to get HostedZoneId.

$ HOSTED_ZONE_ID=$( \
aws route53 list-hosted-zones \
--query "HostedZones[?Name=='${HOSTED_DOMAIN}.'].Id" \
--output text) \
&& echo ${HOSTED_ZONE_ID}
/hostedzone/Z39XXXXXXXXXX

Use route53 change-resource-record-sets command to create record set in Route 53.

$ aws route53 change-resource-record-sets \
--hosted-zone-id ${HOSTED_ZONE_ID} \
--change-batch \
"{
\"Changes\": [
{
\"Action\": \"CREATE\",
\"ResourceRecordSet\": {
\"Name\": \"${VALIDATION_RECORD_NAME}\",
\"Type\": \"CNAME\",
\"TTL\": 300,
\"ResourceRecords\": [{\"Value\": \"${VALIDATION_RECORD_VALUE}\"}]
}
}
]
}"

3. Check validation status

Use acm describe-certificate to check validation status.

$ aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ValidationStatus" \
--output text
SUCCESS

Scripting this process

Now, let’s make the steps up to this point into a shell script.

How to use this script?

It is easy to use this script.

Please save it as issue-acm-certificate.sh and add execution permission by chmod +x command , and run command like following.

$ ./issue-acm-certificate.sh <your-hosted-domain> <domain-you-want-to-issue-certificate> <region-you-want-to-issue>

--

--