Learn how to get a free SSL certificate from AWS that you can use with AWS’ entire suite of cloud services. This detailed step-by-step how-to guide will help you to get your SSL certificate issued quickly and painlessly.
I highly recommend using AWS Certificate Manager to create your SSL certificate. This is an especially good choice if you’re new to SSL because the certificate application process is well-documented and intuitive.
What Is An SSL Certificate?
Generally speaking, a SSL certificate is a prerequisite component for your server to be able to communicate over HTTPS. It facilitates a private connection between your site and your site’s users. Suppose for example that you’re at a party talking to a friend about a sensitive subject in a room where many people can overhear your conversation. If you and your friend both speak Spanish, but no one else in the room understands Spanish then you can just switch your conversation to Spanish and then you no longer need to worry about anyone eavesdropping. In this case Spanish accomplishes the same thing as HTTPS.
How-To
Summarizing the steps request a SSL certificate
1. Provide Domain Names
By default AWS presents you with an input box to input exactly one domain name. However, you can actually include several domain names, and, you can use wildcards to describe subdomains. If you’re new to this then I suggest you follow the guidelines in this screen shot: add your primary domain name, but also add a second record with a wildcard subdomain to account for all derivations of your domain name like www, dev, app, and so on.
2. Select A Validation Method
AWS wants to ensure that you really have control of the domain name before they’ll issue you a SSL certificate. They provide two means of validation. You’ll ultimately get the same certificate regardless of how AWS validates you, so I suggest you do whatever is simplest and easiest. If you choose email validation then you should be aware that AWS will send a confirmation email to the email address registered as the primary technical contact for the domain. You can use https://whois.icann.org/en to find out what that address is. If you use “DNS Validation” then read on.
3. Review & Confirm
Ok, confirm your SSL request to initiate the SSL certificate issuance process.
If you chose DNS validation then AWS will generate the values for a new record entry in your DNS server. You’ll find the record values in the home screen of the Certificate Manager along with a variety of ways to add the new record depending on where your DNS records are managed.
4. Review & Confirm
It can take up to 24 hours for AWS to validate your SSL certificate request. I use AWS Route53 to manage my DNS records, and in my case it took around 30 minutes for the validation process to complete. I’ve also done this process with GoDaddy and Network Solutions, and in both cases it took less than one hour to complete. Thus, if you use any of these popular DNS services and you find that it is taking longer than one hour to validate your new DNS record then you probably did not add the CNAME correctly.
A common mistake when adding AWS’ custom CNAME records to your DNS is erroneously including the name of your domain in the CNAME record name. No one will tell you if you make this mistake …. you’ll just wait, and wait, and wait, until the end of time.
While you’re waiting for the validation process to complete you’ll see a “Pending” status for the domain certificate in the Certificate Manager console. Once the validation process has finished the “Pending Validation” status will be replaced with “Issued” in green text. Additionally, you’ll see some SSL certificate issuance meta data inside the detail of the certificate record.
This is a really misleading title. AWS certificate manager costs 400USD a month!! That’s more than my entire AWS budget!
https://aws.amazon.com/certificate-manager/pricing/
“$400.00 per month for each ACM private CA until you delete the CA.”
if you delete the CA you lose your certificate and no more SSL! All services down.
AS, that is not correct. i currently have AWS certificates installed and operating on a couple dozen projects. They are free.
Does this work without the load balancer method which I believe is required for EC2?
I am planning to build an e-commerce website where payment gateway will be enabled.. will AWS SSL safe to integrate with it? Please suggest
yes, not only safe but preferable.
just to make sure…..the SSL cert is free?
yes
In my case, we issue a SSL from AWS and our domain is in godaddy. We added the CNAME entry and the status shows “Issued” in the AWS console. But the “In Use” status in the AWS console is No, so my https: is not working only. Am I missing some step extra outside what you mentioned or it takes time for AWS to make my domain use the https?
good work keep it up
Hi! Can you write a post regarding host a Static website on S3! It would be great! Also, what should we use for https CloudFlare or CloudFront?
hi Dhruv, sure, that’s a great idea. re https, i use CloudFront but you have to ensure that you’ve configured your CloudFront instance to redirect http to https.
Hi! Thanks for the advice. I am still developing my website! I really like your website. Are you hosting this on S3?
How are these comments are working? Can you please guide me!
hi Dhruv, good luck with your site. my blog runs on WordPress. most of the WordPress articles on the blog are about building this blog (so, it’s a bit recursive!). coincidentally my most recent post (https://blog.lawrencemcdaniel.com/aws-static-hosting-wordpress/) explains why WordPress won’t run on S3. however, i do use AWS’ CloudFront CDN for the blog, which itself depends on S3. hope that helps!
Hi! Thanks for the advise! Could please tell me are you using S3 for this blog or EC2?
Also, Is there a good site where i can find a good blog theme such as yours?
this blog runs on a commercial WordPress hosting platform that uses clustered EC2 instances + S3/Cloudfront for content delivery of static assets. a WordPress plugin named W3 Total Cache is a good way to get started on offloading your site’s digital assets to a Content Delivery Network (CDN) like CloudFront. you’ll find posts in this blog about how to set all of this up. Regarding themes: you should check out Theme Forest, which is the best collection of high quality WordPress themes that i’ve found. https://themeforest.net/popular_item/by_category?category=wordpress
You saved my bacon here. You are the only one who mentioned why my cert wasn’t getting verified – because AWS instructions are COMPLETELY WRONG. Not just missing, but wrong.
The fact that you have to remove the “.yourdomain.com.” wrong the CNAME is just unbelievable. This is why computers aren’t going to take our jobs away – the humans can’t tell the computers what to accurately do!
I’ve looked all weekend for why my SSL AWS Cert was failing. You saved me. Can I send you some bacon since you saved mine? Can I send you a gift card? Do you have an amazon wish list?
glad to help brent! please send bacon 🥓🥓🥓 via fedex to Lawrence, beachside at Puerto Escondido, Mexico! 😀