Learn how to get a free SSL certificate from AWS that you can use with AWS’ entire suite of cloud services. This detailed step-by-step how-to guide will help you to get your SSL certificate issued quickly and painlessly.


I highly recommend using AWS Certificate Manager to create your SSL certificate. This is an especially good choice if you’re new to SSL because the certificate application process is well-documented and intuitive.

What Is An SSL Certificate?

Generally speaking, a SSL certificate is a prerequisite component for your server to be able to communicate over HTTPS. It facilitates a private connection between your site and your site’s users. Suppose for example that you’re at a party talking to a friend about a sensitive subject in a room where many people can overhear your conversation. If you and your friend both speak Spanish, but no one else in the room understands Spanish then you can just switch your conversation to Spanish and then you no longer need to worry about anyone eavesdropping. In this case Spanish accomplishes the same thing as HTTPS.

Keep in mind that AWS manages more than two dozen different data centers around the world and that the SSL certificate that you request is associated with, and sometimes only available to, the various AWS cloud services that are available in that data center. For example, if you intend to use your SSL certificate with an Elastic Load Balancers that you created in the N. California data center then you need to request the SSL certificate from that same N. California data center.

How-To

Summarizing the steps request a SSL certificate

  1. Provide Domain Names
  2. Select A Validation Method
  3. Review & Confirm
  4. Begin Validation Process

1. Provide Domain Names

By default AWS presents you with an input box to input exactly one domain name. However, you can actually include several domain names, and, you can use wildcards to describe subdomains. If you’re new to this then I suggest you follow the guidelines in this screen shot: add your primary domain name, but also add a second record with a wildcard subdomain to account for all derivations of your domain name like www, dev, app, and so on.

2. Select A Validation Method

AWS wants to ensure that you really have control of the domain name before they’ll issue you a SSL certificate. They provide two means of validation. You’ll ultimately get the same certificate regardless of how AWS validates you, so I suggest you do whatever is simplest and easiest. If you choose email validation then you should be aware that AWS will send a confirmation email to the email address registered as the primary technical contact for the domain. You can use https://whois.icann.org/en to find out what that address is. If you use “DNS Validation” then read on.

3. Review & Confirm

Ok, confirm your SSL request to initiate the SSL certificate issuance process.

If you chose DNS validation then AWS will generate the values for a new record entry in your DNS server. You’ll find the record values in the home screen of the Certificate Manager along with a variety of ways to add the new record depending on where your DNS records are managed.

4. Review & Confirm

It can take up to 24 hours for AWS to validate your SSL certificate request. I use AWS Route53 to manage my DNS records, and in my case it took around 30 minutes for the validation process to complete. I’ve also done this process with GoDaddy and Network Solutions, and in both cases it took less than one hour to complete. Thus, if you use any of these popular DNS services and you find that it is taking longer than one hour to validate your new DNS record then you probably did not add the CNAME correctly.

A common mistake when adding AWS’ custom CNAME records to your DNS is erroneously including the name of your domain in the CNAME record name. No one will tell you if you make this mistake …. you’ll just wait, and wait, and wait, until the end of time.

While you’re waiting for the validation process to complete you’ll see a “Pending” status for the domain certificate in the Certificate Manager console. Once the validation process has finished the “Pending Validation” status will be replaced with “Issued” in green text. Additionally, you’ll see some SSL certificate issuance meta data inside the detail of the certificate record.