Best Practices for Using SSL Certificates in DANAconnect
DANAconnect, by operating on AWS, recommends following best practices for SSL certificate management to avoid potential connection failures to the appserv.danaconnect.com, api.danaconnect.com, and ws.danaconnect.com services.
Clients should validate the SSL certificate directly online each time they access a service. Storing local copies of certificates is not recommended, as they may become outdated. If a certificate is updated or renewed in DANAconnect, a trust center with local copies will cause service failures by using an invalid SSL.
Clients are responsible for monitoring these certificates if they choose to keep local SSL copies, but real-time SSL validation is the best approach to avoid these issues.
AWS allows configuring a CAA record for client domains, which authorizes only AWS Certificate Manager (ACM) to issue SSL certificates for those domains or subdomains. Configuring a CAA record ensures that only AWS can issue these certificates, preventing the risk of unauthorized issuance.
Clients should add the following trusted domains to their CAA records for use with DANAconnect on AWS:
- amazon.com
- amazontrust.com
- awstrust.com
- amazonaws.com
To ensure the stability and security of services on DANAconnect, clients must validate SSLs online and configure appropriate CAA records in their DNS. These measures protect against certificate invalidation and prevent interruptions in service consumption.
1. Online SSL Validation
Clients should validate the SSL certificate directly online each time they access a service. Storing local copies of certificates is not recommended, as they may become outdated. If a certificate is updated or renewed in DANAconnect, a trust center with local copies will cause service failures by using an invalid SSL.
Clients are responsible for monitoring these certificates if they choose to keep local SSL copies, but real-time SSL validation is the best approach to avoid these issues.
2. CAA Record Configuration in DNS
AWS allows configuring a CAA record for client domains, which authorizes only AWS Certificate Manager (ACM) to issue SSL certificates for those domains or subdomains. Configuring a CAA record ensures that only AWS can issue these certificates, preventing the risk of unauthorized issuance.
Clients should add the following trusted domains to their CAA records for use with DANAconnect on AWS:
- amazon.com
- amazontrust.com
- awstrust.com
- amazonaws.com
Conclusion
To ensure the stability and security of services on DANAconnect, clients must validate SSLs online and configure appropriate CAA records in their DNS. These measures protect against certificate invalidation and prevent interruptions in service consumption.
Updated on: 09/13/2024
Thank you!