Install SSL on AWS

Use AWS Certificate Manager for managed services, or install your certificate manually on EC2.

Before You Begin

There are two main approaches - AWS Certificate Manager (ACM) for AWS load balancers and CloudFront, and manual installation for self-managed EC2 instances.

For the manual EC2 path, you will need these three files from your SSL certificate download:

certificate.crtYour SSL certificate
private.keyYour private key - keep this secure
ca_bundle.crtCA bundle (intermediate certificates)

Installation Steps

ACM path - recommended for ELB and CloudFront (steps 1–5)

  1. Open AWS Certificate Manager

    In the AWS Console, search for Certificate Manager and open it. Ensure you are in the correct region (ACM certificates are region-specific for most services).

  2. Request a certificate

    Click Request a certificate, choose Public certificate, and enter your domain name (or *.yourdomain.com for wildcard).

  3. Choose DNS validation

    Select DNS validation, then click Request. ACM will provide a CNAME record to add to your DNS.

  4. Add the DNS CNAME record

    In your DNS provider, add the CNAME record provided by ACM. Validation typically completes within 30 minutes.

  5. Attach to load balancer or CloudFront

    Once validated, attach the certificate to your Application Load Balancer (HTTPS listener, port 443) or CloudFront distribution (General > SSL certificate).

Manual EC2 path - for self-managed servers (steps 6–7)

  1. Upload files to EC2

    SSH into your EC2 instance and upload your certificate files.

    sudo cp certificate.crt /etc/ssl/certs/
    sudo cp private.key /etc/ssl/private/
    sudo cp ca_bundle.crt /etc/ssl/certs/
  2. Configure your web server

    Update your Apache or Nginx configuration to reference the uploaded certificate files. See the Apache or Nginx guide for exact directives.

Common Issues

DNS validation pending for more than an hour
Check that the CNAME record was added correctly and has fully propagated. Use a DNS lookup tool to verify the record is live. Note that some DNS providers take up to a few hours to propagate changes globally.
Certificate not available in the load balancer dropdown
ACM certificates are region-specific. Ensure the certificate was issued in the same AWS region as your Application Load Balancer. For CloudFront you must use the us-east-1 (N. Virginia) region.
EC2 port 443 not reachable
Your EC2 Security Group must allow inbound traffic on TCP port 443. Open the EC2 console, select your instance, navigate to Security Groups, and add an inbound rule for HTTPS (port 443, source 0.0.0.0/0).

Frequently Asked Questions

ACM-issued certificates are free when used with AWS services such as Elastic Load Balancing, CloudFront, or API Gateway. You pay for the underlying AWS service, not the certificate itself.

ACM does not support importing externally issued Let's Encrypt certificates for use with managed services like ELB or CloudFront - use ACM's own certificate issuance for those. For EC2 instances with Apache or Nginx, you can install the SSLs For Free certificate manually using the steps above.

ACM automatically renews certificates before they expire as long as the DNS validation CNAME records remain in place in your DNS provider. No manual action is needed - renewal is fully managed by AWS.

Certificate Installed? Set Up Expiry Monitoring.

Get an email reminder 14 days before your certificate expires - free, no account needed.