Get A Free SSL Certificate From AWS

Learn how to get a free SSL certificate from AWS that you can use with AWS’ entire suite of cloud services. This detailed step-by-step how-to guide will help you to get your SSL certificate issued quickly and painlessly.


I highly recommend using AWS Certificate Manager to create your SSL certificate. This is an especially good choice if you’re new to SSL because the certificate application process is well-documented and intuitive.

What Is An SSL Certificate?

Generally speaking, a SSL certificate is a prerequisite component for your server to be able to communicate over HTTPS. It facilitates a private connection between your site and your site’s users. Suppose for example that you’re at a party talking to a friend about a sensitive subject in a room where many people can overhear your conversation. If you and your friend both speak Spanish, but no one else in the room understands Spanish then you can just switch your conversation to Spanish and then you no longer need to worry about anyone eavesdropping. In this case Spanish accomplishes the same thing as HTTPS.

Keep in mind that AWS manages more than two dozen different data centers around the world and that the SSL certificate that you request is associated with, and sometimes only available to, the various AWS cloud services that are available in that data center. For example, if you intend to use your SSL certificate with an Elastic Load Balancers that you created in the N. California data center then you need to request the SSL certificate from that same N. California data center.

How-To

Summarizing the steps request a SSL certificate

  1. Provide Domain Names
  2. Select A Validation Method
  3. Review & Confirm
  4. Begin Validation Process

1. Provide Domain Names

By default AWS presents you with an input box to input exactly one domain name. However, you can actually include several domain names, and, you can use wildcards to describe subdomains. If you’re new to this then I suggest you follow the guidelines in this screen shot: add your primary domain name, but also add a second record with a wildcard subdomain to account for all derivations of your domain name like www, dev, app, and so on.

2. Select A Validation Method

AWS wants to ensure that you really have control of the domain name before they’ll issue you a SSL certificate. They provide two means of validation. You’ll ultimately get the same certificate regardless of how AWS validates you, so I suggest you do whatever is simplest and easiest. If you choose email validation then you should be aware that AWS will send a confirmation email to the email address registered as the primary technical contact for the domain. You can use https://whois.icann.org/en to find out what that address is. If you use “DNS Validation” then read on.

3. Review & Confirm

Ok, confirm your SSL request to initiate the SSL certificate issuance process.

If you chose DNS validation then AWS will generate the values for a new record entry in your DNS server. You’ll find the record values in the home screen of the Certificate Manager along with a variety of ways to add the new record depending on where your DNS records are managed.

4. Review & Confirm

It can take up to 24 hours for AWS to validate your SSL certificate request. I use AWS Route53 to manage my DNS records, and in my case it took around 30 minutes for the validation process to complete. I’ve also done this process with GoDaddy and Network Solutions, and in both cases it took less than one hour to complete. Thus, if you use any of these popular DNS services and you find that it is taking longer than one hour to validate your new DNS record then you probably did not add the CNAME correctly.

A common mistake when adding AWS’ custom CNAME records to your DNS is erroneously including the name of your domain in the CNAME record name. No one will tell you if you make this mistake …. you’ll just wait, and wait, and wait, until the end of time.

While you’re waiting for the validation process to complete you’ll see a “Pending” status for the domain certificate in the Certificate Manager console. Once the validation process has finished the “Pending Validation” status will be replaced with “Issued” in green text. Additionally, you’ll see some SSL certificate issuance meta data inside the detail of the certificate record.

By |2018-01-26T21:56:39-06:00January 19th, 2018|Categories: AWS, Dev Ops|10 Comments

About the Author:

Lawrence is a full stack developer specializing in the Open edX platform, Django, Angular, Ionic, Wordpress and Amazon Web Services. He lives in Puerto Escondido, Oaxaca, Mexico.

10 Comments

  1. Sriram July 16, 2019 at 4:53 am - Reply

    In my case, we issue a SSL from AWS and our domain is in godaddy. We added the CNAME entry and the status shows “Issued” in the AWS console. But the “In Use” status in the AWS console is No, so my https: is not working only. Am I missing some step extra outside what you mentioned or it takes time for AWS to make my domain use the https?

  2. s mishra June 19, 2019 at 5:11 am - Reply

    good work keep it up

  3. Dhruv July 16, 2018 at 2:30 pm - Reply

    Hi! Can you write a post regarding host a Static website on S3! It would be great! Also, what should we use for https CloudFlare or CloudFront?

    • admin July 16, 2018 at 3:44 pm - Reply

      hi Dhruv, sure, that’s a great idea. re https, i use CloudFront but you have to ensure that you’ve configured your CloudFront instance to redirect http to https.

      • Dhruv July 19, 2018 at 12:30 pm - Reply

        Hi! Thanks for the advice. I am still developing my website! I really like your website. Are you hosting this on S3?
        How are these comments are working? Can you please guide me!

        • admin July 19, 2018 at 12:42 pm - Reply

          hi Dhruv, good luck with your site. my blog runs on WordPress. most of the WordPress articles on the blog are about building this blog (so, it’s a bit recursive!). coincidentally my most recent post (https://blog.lawrencemcdaniel.com/aws-static-hosting-wordpress/) explains why WordPress won’t run on S3. however, i do use AWS’ CloudFront CDN for the blog, which itself depends on S3. hope that helps!

      • Dhruv July 21, 2018 at 8:48 am - Reply

        Hi! Thanks for the advise! Could please tell me are you using S3 for this blog or EC2?
        Also, Is there a good site where i can find a good blog theme such as yours?

        • admin July 21, 2018 at 9:45 am - Reply

          this blog runs on a commercial WordPress hosting platform that uses clustered EC2 instances + S3/Cloudfront for content delivery of static assets. a WordPress plugin named W3 Total Cache is a good way to get started on offloading your site’s digital assets to a Content Delivery Network (CDN) like CloudFront. you’ll find posts in this blog about how to set all of this up. Regarding themes: you should check out Theme Forest, which is the best collection of high quality WordPress themes that i’ve found. https://themeforest.net/popular_item/by_category?category=wordpress

  4. Brent June 11, 2018 at 8:08 am - Reply

    You saved my bacon here. You are the only one who mentioned why my cert wasn’t getting verified – because AWS instructions are COMPLETELY WRONG. Not just missing, but wrong.

    The fact that you have to remove the “.yourdomain.com.” wrong the CNAME is just unbelievable. This is why computers aren’t going to take our jobs away – the humans can’t tell the computers what to accurately do!

    I’ve looked all weekend for why my SSL AWS Cert was failing. You saved me. Can I send you some bacon since you saved mine? Can I send you a gift card? Do you have an amazon wish list?

    • admin June 11, 2018 at 9:41 am - Reply

      glad to help brent! please send bacon 🥓🥓🥓 via fedex to Lawrence, beachside at Puerto Escondido, Mexico! 😀

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.