Issue SSL Certificate in AWS Certificate Manager with Shell Script
Today, I introduce you to issue SSL certificate inAWS Certificate Manager (ACM) with a shell script.
Introduction
The procedure for issuing an SSL certificate in ACM is not a repetitive process, so I think many people create it manually without putting it in IaC. Although it is manual work, it is troublesome to do it every time with the management console, so I tried to script it using the AWS CLI.
How to issue certificate in ACM with AWS CLI
Before scripting it, let’s review how to issue a certificate with the AWS CLI.
Note: In this article I use AWS CLI v2, but you can also use v1.
1. Request issuing certificate
First, I request issuing certificate to ACM.
$ HOSTED_DOMAIN="<your-hosted-domain-name-on-route-53>"
$ TARGET_DOMAIN="<sub-domain-you-want-to-request>.${HOSTED_DOMAIN}"$ aws acm request-certificate \
--domain-name ${TARGET_DOMAIN} \
--validation-method DNS
It will be needed the ARN of the requested certificate later, so set it in a variable CERT_ARN
.
$ CERT_ARN=$( \
aws acm list-certificates \
--query "CertificateSummaryList[?DomainName=='${TARGET_DOMAIN}'].CertificateArn" \
--output text ) \
&& echo "${CERT_ARN}"
arn:aws:acm:us-east-1:************:certificate/d8009e70-XXXX-XXXX-XXXX-XXXXXXXXXXXX
2. Validate domain
Second, I create record set in Route 53 for validating domain. In this step, record set information for validating domain. So use acm describe-certificate
command to get it.
$ VALIDATION_RECORD_NAME=$( \
aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Name" \
--output text) \
&& VALIDATION_RECORD_VALUE=$( \
aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ResourceRecord.Value" \
--output text) \
&& echo "
VALIDATION_RECORD_NAME = ${VALIDATION_RECORD_NAME}VALIDATION_RECORD_VALUE = ${VALIDATION_RECORD_VALUE}"
VALIDATION_RECORD_NAME = _6709bba0b171XXXXXXXXXXXXXXXXXXXX.<your-domain>.
VALIDATION_RECORD_VALUE = _2166df0b8981XXXXXXXXXXXXXXXXXXXX.wggjkglgrm.acm-validations.aws.
And use route53 list-hosted-zones
to get HostedZoneId
.
$ HOSTED_ZONE_ID=$( \
aws route53 list-hosted-zones \
--query "HostedZones[?Name=='${HOSTED_DOMAIN}.'].Id" \
--output text) \
&& echo ${HOSTED_ZONE_ID}
/hostedzone/Z39XXXXXXXXXX
Use route53 change-resource-record-sets
command to create record set in Route 53.
$ aws route53 change-resource-record-sets \
--hosted-zone-id ${HOSTED_ZONE_ID} \
--change-batch \
"{
\"Changes\": [
{
\"Action\": \"CREATE\",
\"ResourceRecordSet\": {
\"Name\": \"${VALIDATION_RECORD_NAME}\",
\"Type\": \"CNAME\",
\"TTL\": 300,
\"ResourceRecords\": [{\"Value\": \"${VALIDATION_RECORD_VALUE}\"}]
}
}
]
}"
3. Check validation status
Use acm describe-certificate
to check validation status.
$ aws acm describe-certificate \
--certificate-arn ${CERT_ARN} \
--query "Certificate.DomainValidationOptions[0].ValidationStatus" \
--output text
SUCCESS
Scripting this process
Now, let’s make the steps up to this point into a shell script.
How to use this script?
It is easy to use this script.
Please save it as issue-acm-certificate.sh
and add execution permission by chmod +x command
, and run command like following.
$ ./issue-acm-certificate.sh <your-hosted-domain> <domain-you-want-to-issue-certificate> <region-you-want-to-issue>
This topic is a partial excerpt and translation of the following blog post (my blog in Japanese):
#aws #acm