bg-tutorials

How to Install an SSL Certificate in AWS

In this tutorial, you will learn how to install an SSL certificate in AWS (Amazon Web Services). On AWS you do not install a certificate on a single server the way you would with Apache or Nginx. Instead, you import the certificate once into a certificate store, then attach it to a managed service (a load balancer, CloudFront, or API Gateway) that ends the TLS connection for you. This guide covers AWS Certificate Manager (ACM), the legacy IAM certificate store, and Elastic Load Balancing (ELB).

Prior to the installation, you need to generate a Certificate Signing Request (CSR) and send it to the Certificate Authority for approval. If you have not completed this step, start with the first part of this tutorial. If you already have your SSL certificate files, jump straight to the installation guide below.

How to generate a CSR code in AWS

When applying for an SSL certificate, one essential step is to submit the CSR code to your SSL provider, also called the Certificate Authority. The CSR contains encoded information about your domain name and organization. You cannot obtain a signed SSL certificate without providing this block of code. You have two options:

  • Use our CSR Generator to create the CSR automatically.
  • Generate the CSR manually. The best option is to create the CSR on the same server where your SSL certificate will run. Choose the tutorial for your platform:

If you only have a load balancer and no origin web server to run the command on, you can create your CSR and private key with the OpenSSL tool:

openssl req -new -newkey rsa:2048 -nodes -keyout yoursite.key -out example.csr

Note: replace yoursite with the domain name you want to secure. This command also writes your private key (yoursite.key); keep it safe, because you need it later to import the certificate.

After you run the command, OpenSSL writes the CSR to example.csr. Open that file and copy the whole block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. You will paste this code during your SSL certificate activation.

Prepare all the certificate files

Before starting the installation, make sure you have all the necessary certificate files. After the Certificate Authority signs your SSL certificate, it sends the installation files to your inbox. Here is what you need:

  • Your primary certificate file, issued for the domain name you want to secure.
  • The CA bundle (the intermediate certificate chain) from your Certificate Authority.
  • Your private key.

Your SSL certificate and the CA bundle arrive in the ZIP archive that the CA sent you. The private key is the one you generated along with your CSR code; it stays in the same place where you created the CSR.

One last thing to check is the format of your files. ACM and IAM accept only PEM-encoded files, so make sure your certificate, chain, and private key are in PEM. PEM is a text format that can carry several file extensions (.pem, .key, .cer, .crt, and others); a PEM file starts with a line such as —–BEGIN CERTIFICATE—–. The private key must be unencrypted: ACM rejects a key that is protected by a password or passphrase.

If you received your files in another format, such as PFX/PKCS#12, convert them to PEM first. You can do this with OpenSSL commands. Once your files are in PEM format, you are ready to install your certificate.

Install an SSL certificate in AWS Certificate Manager (ACM)

ACM is the recommended place to store certificates for AWS managed services. You can import your third-party certificate through the console or the CLI.

Option A: Import in the ACM console

  1. Open the AWS console and go to Certificate Manager. Confirm you are in the correct Region (top right). Import the certificate in the same Region as the service that will use it. For CloudFront, use US East (N. Virginia), us-east-1.
  2. Choose Import certificate.
  3. In Certificate body, paste your primary certificate (the block beginning with —–BEGIN CERTIFICATE—–).
  4. In Certificate private key, paste your unencrypted private key (the block beginning with —–BEGIN PRIVATE KEY—– or —–BEGIN RSA PRIVATE KEY—–).
  5. In Certificate chain, paste your CA bundle (the intermediate certificates).
  6. Choose Next, add any tags, then choose Import.

Option B: Import with the AWS CLI

Run the command below to upload your certificate to ACM. Note the fileb:// prefix: it tells the CLI to read each file as raw bytes, which is what ACM expects.

aws acm import-certificate \
  --certificate fileb://example.crt \
  --private-key fileb://example.key \
  --certificate-chain fileb://example-bundle.crt

Note: replace each example file name with the actual name of your file. If the import is successful, the CLI returns the certificate ARN (Amazon Resource Name). You need this identifier to attach the certificate to a service. Here is the complete list of ACM commands to manage your certificate further.

Important caveats:

  • Imported certificates do not auto-renew. ACM auto-renews only the certificates it issues. You are responsible for tracking the expiry date of an imported certificate and re-importing a new one before it expires (AWS recommends at least 24 hours before the expiry). Re-importing into the same ACM certificate preserves the existing service associations, so the load balancer or distribution keeps using it without further changes.
  • Region matters. An ACM certificate is Regional. Import it in the same Region as the load balancer or service that will use it. CloudFront only accepts certificates from us-east-1.

Install an SSL certificate in AWS IAM (legacy)

The IAM certificate store is the older method and AWS recommends ACM for new deployments. Use IAM only when a service or Region does not support ACM, or when you specifically need the IAM store (for example, certain CloudFront setups, where the path must start with /cloudfront/). Upload the certificate to IAM with:

aws iam upload-server-certificate \
  --server-certificate-name certificate-name \
  --certificate-body file://example.crt \
  --certificate-chain file://example-bundle.crt \
  --private-key file://example.key

Replace the values as shown below:

  • –server-certificate-name: a custom name that is easy to remember, for example your domain name. Use only upper and lower case alphanumeric characters; no spaces are allowed.
  • –certificate-body: the file name of your primary SSL certificate.
  • –certificate-chain: the file name of your CA bundle.
  • –private-key: the file name of your private key.

The certificate, private key, and chain must all be PEM-encoded, and the private key must match the certificate. If the upload is successful, the CLI returns the server certificate metadata, including its path, name, ID, ARN, upload date, and expiration date. For further help on SSL management and troubleshooting, refer to Amazon’s official guide.

Attach the certificate in ELB (Elastic Load Balancing)

Importing the certificate into ACM or IAM does not serve it yet. The certificate becomes active only when you attach its ARN to a service. This section assumes you have already imported the certificate and want to create or update HTTPS listeners on an existing load balancer. You will need your certificate’s ARN and the load balancer’s name or ARN.

Classic Load Balancer

Use the command below to create an HTTPS listener on a Classic Load Balancer and assign the certificate to it:

aws elb create-load-balancer-listeners \
  --load-balancer-name my-load-balancer \
  --listeners "Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN"

Replace ARN with the ARN of your certificate from ACM or IAM. If you already have an HTTPS listener and only want to swap in a new certificate, use:

aws elb set-load-balancer-listener-ssl-certificate \
  --load-balancer-name my-load-balancer \
  --load-balancer-port 443 \
  --ssl-certificate-id NewARN

Replace NewARN with the ARN of the new certificate. Here is the full range of ELB commands, and the official Amazon guide on HTTPS listeners for Classic Load Balancer.

Application Load Balancer

Run the following command to create an HTTPS listener on an Application Load Balancer. The –ssl-policy value below selects a security policy that supports TLS 1.3 and TLS 1.2:

aws elbv2 create-listener \
  --load-balancer-arn my-load-balancer-arn \
  --protocol HTTPS \
  --port 443 \
  --certificates CertificateArn=my-certificate-arn \
  --ssl-policy ELBSecurityPolicy-TLS13-1-2-2021-06 \
  --default-actions Type=forward,TargetGroupArn=my-target-group-arn

You can find the my-load-balancer-arn and my-target-group-arn values by running:

aws elbv2 describe-target-groups

This reveals the relevant load balancers and target groups in your account. To add a new certificate to an existing HTTPS listener, use:

aws elbv2 modify-listener \
  --listener-arn my-https-listener-arn \
  --certificates CertificateArn=my-new-certificate-arn

You can find the my-https-listener-arn value with:

aws elbv2 describe-listeners \
  --load-balancer-arn my-load-balancer-arn

See the elbv2 command reference to manage your Application Load Balancer further.

Test your SSL installation

Browse the HTTPS version of your domain and check that the padlock is present. Click it to inspect the certificate details. For a deeper test, use our SSL Checker: it scans your installation and creates an instant report. You can also confirm the certificate from the command line:

echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -issuer -dates

This prints the issuer and the validity dates of the certificate the load balancer is serving. If you imported a new certificate but still see the old one, confirm the listener points at the new ARN and that you are testing the correct Region and endpoint.

Frequently Asked Questions

Where do I install an SSL certificate in AWS?

You do not install it on a single server. You import the certificate into AWS Certificate Manager (ACM), then attach the resulting ARN to a managed service that ends the TLS connection, such as an Application or Classic Load Balancer, a CloudFront distribution, or an API Gateway custom domain.

Does ACM renew an imported certificate automatically?

No. ACM auto-renews only the certificates it issues. An imported third-party certificate must be reissued and re-imported before it expires. Re-importing into the same ACM certificate keeps its service associations, so the load balancer keeps serving the renewed certificate without extra changes.

Should I use ACM or the IAM certificate store?

Use ACM. The IAM certificate store is a legacy method that AWS keeps mainly for backward compatibility and for cases ACM does not cover. For most setups, including load balancers and CloudFront, ACM is the recommended option.

Why does ACM reject my private key?

The most common reason is that the key is encrypted. ACM only accepts an unencrypted, PEM-encoded private key that matches the certificate. Remove the passphrase first, then import. Make sure all three parts (certificate, chain, and key) are PEM-encoded.

Which Region should I import the certificate into?

Import it in the same Region as the load balancer or service that will use it, because ACM certificates are Regional. CloudFront is the exception: it only accepts certificates imported into US East (N. Virginia), us-east-1.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.