Why can't I configure ACM certificates for my website hosted on an EC2 instance?

2 minute read
1

I want to configure AWS Certificate Manager (ACM) certificates for my website that's hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

When you configure an Amazon issued ACM public certificate for a website that's hosted on an EC2 instance, you must export the certificate. However, you can't export the certificate because ACM manages the private key that signs and creates the certificate. For more information, see Security for certificate private keys.

Instead, associate the ACM certificate with a load balancer or an Amazon CloudFront distribution.

You can also use ACM for Nitro Enclaves for public and private SSL/TLS certificates.

Resolution

Associate the ACM certificate with a load balancer

Note: Request or import the ACM certificate in the same AWS Region as your load balancer. CloudFront distributions must request the certificate in the US East (N. Virginia) Region.

First, request a public certificate.

Then, complete the following steps to associate the SSL/TLS certificate with a load balancer:

  1. If you don't have a load balancer, then create an Application Load Balancer, Network Load Balancer, Classic Load Balancer. Or, create a CloudFront distribution.
  2. Associate the certificate with your load balancer, or configure a CloudFront distribution to use the SSL/TLS certificate.
  3. Register the EC2 instance with your load balancer or CloudFront distribution:
    For an Application Load Balancer or Network Load Balancer, see Register or deregister targets by instance ID.
    For a Classic Load Balancer, see Register an instance.
    For a CloudFront distribution, see Use Amazon EC2 (or another custom origin).
  4. Route traffic to your load balancer or CloudFront distribution.

Use ACM for Nitro Enclaves

You can also install and configure ACM for Nitro Enclaves to use public and private SSL/TLS certificates with your web applications and web servers. The web applications and web servers must run on EC2 instances. ACM for Nitro Enclaves works with NGINX servers and Apache HTTP servers that run on EC2 instances.

Related information

Email validation

DNS validation

Making Amazon Route 53 the DNS service for an existing domain

Services integrated with AWS Certificate Manager

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago
3 Comments

I used to follow the described setup in the free tier to test out a fun project of mine for the last couple of months but that's not the case anymore. As AWS started charging for public IPV4 addresses, and Application Load Balancers need public IPV4 addresses. Is there a way to still use the ACM certificate without being billed for the public addresses?

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 10 months ago

Thank you for this article.

profile picture
replied 6 months ago