FAQs

How to Install an SSL Certificate on Amazon Web Services (AWS)? 

Overview: 
Amazon Web Services provides hosting instances that can be used to host both common servers and applications, as well as some specific additional services. Because of this, there are multiple options for installing an SSL certificate on AWS.  This guide provides the step-by-step process for installing an SSL certificate across multiple AWS services including Elastic Compute Cloud (EC2), Elastic Load Balancer (ELB), AWS API Gateway, and Amazon CloudFront. Following these steps ensures secure HTTPS connectivity for your applications and hosted resources. 

 

Prerequisites 

Before you begin, ensure you have the following: 

• A valid SSL certificate file (.crt format) 

• The intermediate certificate chain / CA‑bundle (.ca‑bundle format) 

• The private key file (.key format) generated with your CSR 

• Access to the AWS Management Console or AWS CLI (depending on the installation approach) 

• Appropriate permissions for ACM, IAM, ELB, API Gateway, or CloudFront as applicable 

 

Procedure 

 

The SSL components will sometimes need to be uploaded as files or uploaded as codes, depending on the particular Amazon service you use.  
 

Step 1: Understand the Required SSL Components 

SSL installation on AWS requires three PEM‑formatted components: 

Certificate (.crt) 

Received after certificate issuance. 
You can view its contents using: 

cat example.crt 
 

On a local machine, you can right-click on the file, select Open with, and choose any plain text editor. 
 

CA-Bundle (.ca-bundle) 

Contains intermediate certificates from the Certificate Authority. 

Private Key (.key) 

Generated with the CSR and must match the certificate. 

You can open these files in a text editor on your local machine. 

 

Step 2: Install an SSL Certificate on EC2 (Apache on Amazon Linux) 

If you have EC2, it generally means that a separate web, mail, or application server is installed, and the SSL should be installed on that server.   

Things will differ slightly if you use the Amazon Linux AMI.  

Amazon Linux is a specific Linux distribution provided by Amazon. It is normally based on CentOS Linux with the Apache server installed (though a Debian-based version also exists).  

On Amazon Linux 2, the installation process is the same as normal SSL installation on the Apache server on CentOS.  

For other versions of Amazon Linux, there is one peculiarity. To run an encrypted HTTPS connection on an Apache web server, mod_ssl needs to be installed with the help of a slightly different command to the one usually used on Apache:  

sudo yum install -y mod24_ssl  

 

The default SSL configuration file location on Linux AMI is /etc/httpd/conf.d/ssl.conf. All the changes required to install an SSL can be made within this file. 

 

 

Step 3: Install an SSL Certificate on an Elastic Load Balancer (ELB) 

A load balancer is a specific service that allows the managing of traffic across several hosting instances. Amazon provides a load balancer service that can be secured with an SSL certificate. 

Amazon ELB supports two installation methods. You can either upload (1) the SSL directly through the graphic interface to AWS certificate manager (ACM) or (2) do it through the command line in the AWS Identity & Access Management (IAM)  

 

Option 1: Upload via AWS Certificate Manager (ACM) 

1. Create or edit a Load Balancer. 

2. During setup, choose Upload Certificate to ACM or Upload to IAM. 

3. Provide the SSL components as text:  

               A) Certificate body → SSL certificate file 

               B) Certificate chain → CA-bundle 

               C) Private key → Private key file 

4. Choose a security policy. The default policy is sufficient. 

5. Complete the load balancer setup. 

To add a certificate later: 
Load Balancers → Listeners → View/Edit Certificates → + Import Certificate 
Click on the + (plus) button to add a new certificate and open the Import certificate panel. 

 

Option 2: Upload Through AWS CLI (IAM) 

Upload all components using a single command: 

aws iam upload-server-certificate \ 
--server-certificate-name certificate_object_name \ 
--certificate-body file://path-to-cert \ 
--private-key file://path-to-private-key \ 
--certificate-chain file://path-to-ca-bundle 
 
Note:  

• When you specify a file as a parameter (for example, for the certificate-body and private-key parameters), file:// should be included as a part of the file name.  

•  The certificate_object_name parameter is used to assign your own name to the certificate so that you can identify it further.  

 

 
 

When you upload your certificate files, IAM will validate the files if the following criteria are met:  

• Certificates should be in X.509 PEM format.  

• The current date should be between the certificate’s issuance and expiration date.  

• The certificate and Private key files should contain only a single item, meaning one certificate file and one corresponding key.  

• The Private key should match the certificate.  

• The Private key should be in PEM format, just like the certificate is. The correct format of the text within the key file should begin with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----.  

• The Private key should not be encrypted with a password.  

 

 

To verify the uploaded certificate: 

aws iam get-server-certificate --server-certificate-name certificate_object_name 
 
The output should look like this:  

  

arn:aws:iam::Your_AWS_Account_ID:server-certificate/Your_Certificate_Object_Name Certificate_Object_GUID  

Your_AWS_Account_ID is a unique Amazon Resource Name (ARN) and Certificate_Object_GUID is the ID of the certificate.  

  

Here’s an example: 
arn:aws:iam::123456789012:server-certificate/certificate_object_name ADGTHexampleLKBASAH  

 Digits in the first line are the ARN, and the second line is the certificate ID.   

If you need to update the certificate for a HTTPS load balancer, you will need to use the ARN of the certificate. The following command is used in such a case to set the certificate for the load balancer:  

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::123456789012:server-certificate/certificate_object_name  

Parameter my-loadbalancer is the name of your load balancer.  

For more details about creating a HTTPS load balancer and setting its name, please check the following guide. 
 
 

Step 4: Install an SSL Certificate on AWS API Gateway 
By default, Amazon API uses a default access link that looks like this:  

  

https://api-id.execute-api.region.amazonaws.com/stage  

  

In some cases, it’s more convenient to set up a custom hostname for it instead. The custom link can be also secured with an SSL certificate.   

The process is similar to the load balancer securing.  

1. Log in to the AWS Certificate Manager console.  

2. Choose the Import certificate option.  

3. A similar form for the SSL upload will open.   

4. Paste the certificate file code as the "Certificate body", CA-bundle code as the "Certificate chain" and Private key code as the "Certificate private key" and click Next.  

5. Save the changes by selecting the Review and import option.  

6. Choose the Custom domain names option from the API Gateway menu.  

7. Choose your custom domain name.  

8. Click Edit.  

9. Choose the correct SSL from the drop-down list and save the changes.  
      

The certificate may take up to 40 minutes to apply.  

  

Alternatively, you can also install an SSL through the domainname:update API-call via the command line.  

  

The request itself will look like this:  

  
PATCH /domainnames/*Your API domain name*  
  

{  

  "patchOperations" : [ {  

  "op" : replace,  

  "path" : *parameter used to identify the SSL*,  

  "value" : *parameter value*,  

  "from" : // optional parameter where you can specify what specific part of the application should use the SSL.  

  } ]  

}  

  

More details about the command can be found here. 

 

Step 5: Install an SSL Certificate on Amazon CloudFront 

Amazon CloudFront is a web service that allows you to speed up content distribution in different locations by caching some of it in a special storage.  

You can either upload an SSL certificate through SSL manager or through the command line, as described above.  

After adding the SSL, CloudFront settings need to be updated as follows:  
  

1. Open your AWS console and go to the CloudFront console.  

2. Choose the ID of the CloudFront entity that needs to be updated.  

3. Go to the General tab and choose Edit.   

4. Update Alternate Domain Names (CNAMEs) with your SSL domain name(s) and choose the correct SSL from the list.   

5. Click Yes, Edit.  

6. After this, you can go to the Behaviors tab and either set a redirect from HTTP to HTTPS or set the Cloudfront to HTTPS only.  
      

The SSL can be set up during the CloudFront entity creation.  

  

Note: If you want to use an ACM certificate with Amazon CloudFront, make sure you import a certificate stored in the US East (N. Virginia) region. Otherwise, use the certificate imported to IAM. 

 

Verification 

To confirm the SSL certificate is installed correctly: 

• Visit your domain using https:// 

• Check for a valid padlock icon in the browser 

• Use an online SSL checker (e.g., SSL Labs) 

• For AWS CLI installations, verify using IAM or ELB commands 

• For CloudFront, wait for distribution propagation and test the endpoint 

 

Related Articles: 
Tags: