Before You Begin
There are two main approaches - AWS Certificate Manager (ACM) for AWS load balancers and CloudFront, and manual installation for self-managed EC2 instances.
For the manual EC2 path, you will need these three files from your SSL certificate download:
Installation Steps
ACM path - recommended for ELB and CloudFront (steps 1–5)
-
Open AWS Certificate Manager
In the AWS Console, search for Certificate Manager and open it. Ensure you are in the correct region (ACM certificates are region-specific for most services).
-
Request a certificate
Click Request a certificate, choose Public certificate, and enter your domain name (or *.yourdomain.com for wildcard).
-
Choose DNS validation
Select DNS validation, then click Request. ACM will provide a CNAME record to add to your DNS.
-
Add the DNS CNAME record
In your DNS provider, add the CNAME record provided by ACM. Validation typically completes within 30 minutes.
-
Attach to load balancer or CloudFront
Once validated, attach the certificate to your Application Load Balancer (HTTPS listener, port 443) or CloudFront distribution (General > SSL certificate).
Manual EC2 path - for self-managed servers (steps 6–7)
-
Upload files to EC2
SSH into your EC2 instance and upload your certificate files.
sudo cp certificate.crt /etc/ssl/certs/
sudo cp private.key /etc/ssl/private/
sudo cp ca_bundle.crt /etc/ssl/certs/ -
Configure your web server
Update your Apache or Nginx configuration to reference the uploaded certificate files. See the Apache or Nginx guide for exact directives.
Common Issues
- DNS validation pending for more than an hour
- Check that the CNAME record was added correctly and has fully propagated. Use a DNS lookup tool to verify the record is live. Note that some DNS providers take up to a few hours to propagate changes globally.
- Certificate not available in the load balancer dropdown
- ACM certificates are region-specific. Ensure the certificate was issued in the same AWS region as your Application Load Balancer. For CloudFront you must use the us-east-1 (N. Virginia) region.
- EC2 port 443 not reachable
- Your EC2 Security Group must allow inbound traffic on TCP port 443. Open the EC2 console, select your instance, navigate to Security Groups, and add an inbound rule for HTTPS (port 443, source 0.0.0.0/0).
Frequently Asked Questions
Certificate Installed? Set Up Expiry Monitoring.
Get an email reminder 14 days before your certificate expires - free, no account needed.