Choose right SSL certificate and integration

SSL Certificate options

For the use of encrypted connections (HTTPS) a valid SSL certificate for the desired domains is necessary.

In the table below you find a comparison of certificates supplied by AWS and the offers of third parties. AWS certificates are limited in their use: they must be used with an AWS load balancer or the AWS Cloudfront CDN. AWS also does not supply Extended Validation (EV) certificates. On the upside AWS certificates are free and can be renewed automatically. There is no additional fee from root360 for the setup of an AWS certificate.

Certificate type

Validity

Renewal

Price

Wildcard

Multi-domain

Extended Validation

Restrictions

Procurement through

Standard SSL Certificates from AWS

13 months

automatically

free

possible

possible

No

Only AWS Loadbalancer and CDN

root360

Standard SSL certificates

Selectable (eg 1 or 2 years)

manually

Depending on provider

possible

possible

No

flexible

customer

Extended Validation (EV) certificates

Selectable (eg 1 or 2 years)

manually

Depending on provider

possible

possible

Yes

flexible

customer

Root360 monitors all customer environments for certificate validity. We inform you as soon as the validity of any of your certificates is less than 30 days.

AWS certificates (AWS Certificate Manager)

Root360 handles the creation of the certificates with AWS. For this we need a list of the domains for which the certificate should be valid.

New certificates must be validated. AWS requires this to ensure that the applicant has control over the domains. The validation can be by DNS or by email. Roo360 recommends validation by DNS because the yearly renewal is automatic.

DNS validation (recommended)

With this validation method, you have to enter special DNS records into the DNS zones of the certificate's domains. To use this validation method, you or your contractor must have access to the DNS zones of the domains in the certificate.

We will send you these DNS records (of type CNAME) that AWS generated, one for each domain.

They look like this:

_8edc0c37fa0f0de703fd4dc99df3336e.example.de.      CNAME    _4ac89c69d1d4c28a337d9e135caaed39.acm-validations.aws.

Renewal: AWS automatically renews the certificate as long as the records exist.

Email validation

With this validation method AWS sends emails to specific email addresses, see the list below. You must be able to receive emails at least through one of the addresses and check it regularly so you won't miss the renewal email 13 months later.

List of validation email addresses:

  • administrator@your_domain

  • hostmaster@your_domain

  • postmaster@your_domain

  • webmaster@your_domain

  • admin@your_domain

The validation email contains a link that must be accessed to validate the certificate.

Renewal: A certificate from AWS is usually valid for 13 months. Shortly before it expires AWS sends another validation mail with a link that must be accessed to keep the certificate valid for another 13 months.

For some customers the initial setup of a certificate through email validation is less complicated. However, it creates work each time it needs to be renewed.
That is why root360 recommends using DNS validation.

AWS does not supply Extended Validation certificates. If you need this, feel free to contact us by mail (service@root360.de) or phone (+49 (0) 341-392 801 80).

Certificates from other providers

You are free to get your certificates from other providers. If you choose to do so, you are responsible for their initial acquisition and renewal. Please get in touch with service@root360.de to send us the certificate.

Exception root360 Redirect service

We offer a redirect service. Details about this system and its possible applications can be found at https://root360.atlassian.net/wiki/spaces/KB/pages/2014350505  .

The redirect service can not be provided with standard SSL certificates from Amazon Web Services.

This means that the functionality can only be used for HTTPS connections if a certificate is purchased from a third-party provider.

In so far as HTTPS is not relevant, redirects / redirects are made for HTTP requests without problems, for the HTTPS requests the browsers issue a warning due to the then invalid certificate.

We always recommend all content consistently over a so-called 3rd level domain, eg www.your_domain.com provide.

Related tutorials

Related components