generating free ssl certificates using aws certificate manager

6 mins Sep 21, 2021 Somendra Yadav CLOUD Views : 1524


  1. What is ACM?
  2. Why should we use ACM?
  3. Points to Remember
  4. Supported regions
  5. Creating free SSL certificates using ACM
  6. Importing existing SSL certificates to ACM

what is acm?

ACM stands for AWS Certificate Manager. It provides the free SSL certificates which can be integrated with AWS development services such as ELB and cloudfront etc. Using the public certificates generated from ACM, You can secure your domain names and the sub-domains.

If you already have an SSL certificate generated from another Certificate Authority You can import it to ACM and Use it for securing your Websites and Applications.

why should we use acm?

It’s easy to create, manage and configure SSL certificates for the domain and renew the certificates.

●   It renews automatically.
●   Can be integrated with AWS Cloud Services.
●   It's free of cost.

points to remember

The certificates cannot be used directly with the web servers such as Nginx, Apache or with the EC2 instances.

Certificates can be used with the following services.

●    Amazon Cloudfront
●    AWS Elastic beanstalk
●    API gateway
●    Elastic Load balancing
●    CloudFormation

supported regions

Certificates generated from ACM are region specific. Suppose you have hosted a website in the United State region, then you should generate an SSL certificate in the USA region.


If you’re configuring the same domain in the Singapore region, Again We have to generate the ACM for the Singapore region and use it for the websites.


Certificates can’t be copied from one aws region to another.


If you want to apply the certificates generated from ACM for CloudFront, Then you should create or import existing certificates in the N.Virginia (US East) region.

Certificates in this region which are associated with the cloudfront distribution are distributed for all the geographical locations configured for that distribution.

creating public certificate using acm

Login to ACM Console


Under Provision certificates, click Get started

Provision-certificatesSelect Request a public certificate

Request-a-public-certificateRequest a certificate, and then click

Under Add domain names, You should mention the FQDN (Fully Qualified Domain Name) of the website which you secure using the certificate.

For example: be the FQDN, But If I have hosted multiple subdomains under the main domain, You can add an * (asterisk) to request the wildcard certificate to protect all the existing subdomains and the sub-domain which we create later as well.


​Choose Next, perform validation requests using below options.

This is to ensure that the domain name for which you’re requesting the certificate is owned by you.

1) DNS Validation –> Choose this, If you have access to the add/modify DNS Records from the DNS management portal.

2) Email Validation –> Validation for the certificate request can be performed using Email.

DNS-Email-ValidationClick Review

Choose Confirm and request

For DNS Validation, CNAME records will be provided which should be added to the DNS portal. 
For Email Validation, ACM sends email to the following, 

●    Domain registrant
●    Technical contact
●    Administrative contact.

One should reply to that email for validation.
If validated, The certificate will be issued shortly


Once the certificate is Issued, You can use it with the Integrated services mentioned above.

                           Also Read: Creating EC2 Instances using Terraform

importing existing ssl certificate to acm

If you have purchased SSL certificates from a Domain registrar or if it is generated using the Letsencrypt free SSL certificate, These certificates can be uploaded to the AWS Certificate manager and then can be used with the integration Cloud computing services mentioned above.

1. Supported algorithms:

A) 1024-bit RSA (RSA_1024)
B) 2048-bit RSA (RSA_2048)
C) 4096-bit RSA (RSA_4096)
D) Elliptic Prime Curve 256 bit (EC_prime256v1)
E) Elliptic Prime Curve 384 bit (EC_secp384r1)
F) Elliptic Prime Curve 521 bit (EC_secp521r1)

2. While importing the certificate to ACM, The certificate chain should be provided if the certificate is issued with the certificate authority.

3. The certificate must be valid at the time of import. You can’t import a certificate before its validity period begins or after it expires.

4. The password protected private key cannot be imported and it should be unencrypted.

The following details of the certificates are required for it to be uploaded to ACM.

●    Server Certificate
●    Certificate Chain
●    Private certificate

Once you have the above information, Login to the ACM console.
Click Import a certificate


Copy and paste the contents of Server Certificate, Private key and Certificate chain into their respective fields.


Click Next and then review the details about the certificate and then choose Import.