← Back to Tutorials
Tutorial 18 Intermediate

How to Implement AWS Certificate Manager for SSL/TLS

Automate SSL/TLS certificate management with free ACM certificates, DNS validation, automatic renewal, and CloudFront integration to eliminate certificate-related outages.

25 min implementation
12 min read
Transport Security

What You'll Learn

Why Automated Certificate Management Prevents Outages

SSL/TLS certificates are the foundation of web security, yet certificate expiration remains one of the most preventable causes of service outages. According to Keyfactor's 2024 PKI and Digital Trust Report, 88% of organizations experienced unplanned outages due to expired certificates, with an average of three certificate-related outages over a 24-month period. The average cost of these outages exceeds $2.8 million per incident.

High-profile certificate expirations continue to affect major organizations. In January 2026, League of Legends experienced a global outage when their SSL certificate expired—exactly 10 years after a similar incident. Microsoft Teams, Spotify, LinkedIn, and Ericsson have all suffered outages due to expired certificates. AWS Certificate Manager eliminates this risk through fully automated certificate management.

The Four Most Dangerous Certificate Management Failures

1

Manual Certificate Renewal

Relying on manual processes creates single points of failure. Team members forget renewal dates, vacation schedules interfere, and certificates expire during critical business periods when staff may be unavailable.

2

Self-Signed or Invalid Certificates

Self-signed certificates trigger browser security warnings, destroying user confidence and severely impacting SEO rankings. Search engines penalize sites without valid certificates from trusted authorities.

3

Insecure Private Key Storage

Storing private keys in code repositories, shared drives, or unencrypted locations creates massive vulnerabilities. Key compromise can lead to man-in-the-middle attacks and complete domain impersonation.

4

Outdated TLS Protocols

Using deprecated TLS versions (1.0, 1.1) or weak cipher suites exposes encrypted traffic to known attacks. Modern security requires TLS 1.2 minimum, with TLS 1.3 recommended for enhanced security.

⚠️
Key Insight: ACM certificates are free for AWS services and renew automatically. There is no technical, financial, or operational reason to manage SSL certificates manually when using AWS infrastructure.
1

Request SSL Certificate in ACM

~5 minutes

AWS Certificate Manager provides free public SSL/TLS certificates for use with AWS services. Requesting a certificate with wildcard support covers your main domain and all subdomains with a single certificate.

Prerequisites

  • AWS account with appropriate IAM permissions
  • Domain name you own and want to secure
  • Access to domain DNS settings (Route 53 or external provider)
  • Target AWS service for certificate attachment (CloudFront, ALB, API Gateway)
ℹ️
Important: ACM certificates can only be used with integrated AWS services (CloudFront, ALB, API Gateway, etc.). For EC2 instances, you'll need to use a different approach or terminate SSL at a load balancer.

Console Steps

1.1 Navigate to Certificate Manager

  • Sign in to AWS Console
  • Search for "Certificate Manager" in the services search
  • Click "AWS Certificate Manager"
  • Critical: For CloudFront, ensure you're in us-east-1 (N. Virginia) region

1.2 Request Public Certificate

  • Click "Request a certificate"
  • Select "Request a public certificate"
  • Click "Next"

1.3 Configure Domain Names

  • Enter your fully qualified domain name: example.com
  • Click "Add another name to this certificate"
  • Add wildcard subdomain: *.example.com
  • This configuration covers your main domain and all subdomains
Domain Configuration Coverage 
# Certificate covers:
example.com           # Apex domain
www.example.com       # WWW subdomain
api.example.com       # API subdomain
app.example.com       # Application subdomain
admin.example.com     # Admin subdomain
*.example.com         # Any other subdomain

1.4 Select Validation Method

  • DNS validation (Recommended): Automatic renewal, no email required
  • Email validation: Requires manual approval via admin email addresses
  • Choose "DNS validation" for automation
  • Click "Next"

1.5 Add Tags and Request

  • Add tags for organization:
  • Key: Environment, Value: Production
  • Key: Project, Value: Website
  • Key: ManagedBy, Value: ACM
  • Click "Request"

AWS CLI Method

AWS CLI - Request Certificate 
# Request certificate with wildcard support
aws acm request-certificate \
    --domain-name example.com \
    --subject-alternative-names "*.example.com" \
    --validation-method DNS \
    --tags Key=Environment,Value=Production Key=Project,Value=Website \
    --region us-east-1

# Response includes CertificateArn for use in subsequent steps
Certificate Requested: Your certificate is now in "Pending validation" status. The next step validates domain ownership to issue the certificate.
2

Validate Domain Ownership via DNS

~10 minutes

DNS validation proves you control the domain before AWS issues the certificate. The validation CNAME records must remain in place permanently to enable automatic renewal—ACM uses these same records to re-validate ownership every 60 days before certificate expiration.

Console Steps (Route 53)

2.1 View Validation Records

  • In ACM console, click on your pending certificate
  • View domains in "Pending validation" status
  • Each domain shows required CNAME record details

2.2 Create DNS Records (Route 53 One-Click)

  • Click "Create record in Route 53" button for each domain
  • Click "Create records"
  • AWS automatically adds the required CNAME records
  • Validation typically completes within 5-30 minutes
💡
Route 53 Advantage: If your domain uses Route 53 for DNS, ACM can automatically create validation records with one click. This is the fastest path to certificate issuance.

Manual DNS Configuration (External Providers)

2.3 Add Records to External DNS Provider

  • Copy the CNAME record details from ACM console
  • Log in to your DNS provider (GoDaddy, Cloudflare, Namecheap, etc.)
  • Create CNAME records with the provided name and value
  • Wait for DNS propagation (5-30 minutes, up to 72 hours)
Example DNS Validation Records 
# CNAME records to add to your DNS provider
# Record 1 (apex domain)
Type:  CNAME
Name:  _abc123def456.example.com
Value: _xyz789.acm-validations.aws.

# Record 2 (wildcard)
Type:  CNAME
Name:  _abc123def456.example.com
Value: _xyz789.acm-validations.aws.

# Note: Both domains often use the same validation record

Verify Validation Status

Bash - Verify DNS and Certificate Status 
# Verify DNS record is resolving
dig _abc123def456.example.com CNAME

# Alternative: Use nslookup
nslookup -type=CNAME _abc123def456.example.com

# Check certificate status via CLI
aws acm describe-certificate \
    --certificate-arn arn:aws:acm:us-east-1:ACCOUNT:certificate/CERT-ID \
    --query 'Certificate.Status' \
    --region us-east-1

# Expected output when validated: "ISSUED"
⚠️
Critical: Keep DNS validation records permanently. ACM requires these records to automatically renew certificates 60 days before expiration. Removing them causes renewal failures.
Domain Validated: Once status shows "Issued", your certificate is ready for use. ACM certificates are valid for 13 months and renew automatically.
3

Configure Auto-Renewal Monitoring

~5 minutes

While ACM handles renewal automatically, proactive monitoring ensures you're alerted to any renewal failures before they cause outages. ACM begins renewal attempts 60 days before expiration and sends Health Dashboard notifications at 45, 30, 15, 7, 3, and 1 day intervals if renewal fails.

Console Steps

3.1 Verify Auto-Renewal Eligibility

  • Navigate to ACM console
  • Click on your certificate
  • Check "Renewal eligibility" shows "Eligible"
  • Verify "Renewal status" shows "Success" or "Pending" (if within 60 days of expiration)
ℹ️
Renewal Requirements: Certificates are eligible for automatic renewal if they are associated with an AWS service (CloudFront, ALB, API Gateway) OR have been exported since issuance. Unused certificates do not auto-renew.

Create CloudWatch Alarm for Certificate Expiration

AWS CLI - CloudWatch Alarm for DaysToExpiry 
# Create SNS topic for certificate alerts
aws sns create-topic \
    --name acm-certificate-alerts \
    --region us-east-1

# Subscribe email to the topic
aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:ACCOUNT:acm-certificate-alerts \
    --protocol email \
    --notification-endpoint security@yourcompany.com \
    --region us-east-1

# Create CloudWatch alarm for certificate expiration
aws cloudwatch put-metric-alarm \
    --alarm-name "ACM-Certificate-Expiring-Soon" \
    --alarm-description "Alert when ACM certificate expires within 30 days" \
    --metric-name DaysToExpiry \
    --namespace AWS/CertificateManager \
    --statistic Minimum \
    --period 86400 \
    --threshold 30 \
    --comparison-operator LessThanThreshold \
    --dimensions Name=CertificateArn,Value=arn:aws:acm:us-east-1:ACCOUNT:certificate/CERT-ID \
    --evaluation-periods 1 \
    --alarm-actions arn:aws:sns:us-east-1:ACCOUNT:acm-certificate-alerts \
    --region us-east-1

Enable AWS Config Rule for Compliance Monitoring

AWS CLI - Deploy Config Rule for Certificate Expiration 
# Create AWS Config rule to check certificate expiration
aws configservice put-config-rule \
    --config-rule '{
        "ConfigRuleName": "acm-certificate-expiration-check",
        "Description": "Checks if ACM certificates expire within specified days",
        "Source": {
            "Owner": "AWS",
            "SourceIdentifier": "ACM_CERTIFICATE_EXPIRATION_CHECK"
        },
        "InputParameters": "{\"daysToExpiration\": \"30\"}",
        "MaximumExecutionFrequency": "TwentyFour_Hours"
    }' \
    --region us-east-1

# This rule marks certificates as NON_COMPLIANT when expiring within 30 days

Create EventBridge Rule for Renewal Failures

AWS CLI - EventBridge for ACM Health Events 
# Create EventBridge rule for ACM Health events
aws events put-rule \
    --name "ACM-Certificate-Renewal-Issues" \
    --event-pattern '{
        "source": ["aws.health"],
        "detail-type": ["AWS Health Event"],
        "detail": {
            "service": ["ACM"],
            "eventTypeCategory": ["scheduledChange", "issue"]
        }
    }' \
    --region us-east-1

# Add SNS target for notifications
aws events put-targets \
    --rule "ACM-Certificate-Renewal-Issues" \
    --targets "Id"="1","Arn"="arn:aws:sns:us-east-1:ACCOUNT:acm-certificate-alerts" \
    --region us-east-1
Monitoring Active: You now have proactive alerting for certificate expiration and renewal failures. CloudWatch alarms trigger 30 days before expiration, giving ample time to address any renewal issues.
4

Integrate with CloudFront Distribution

~5 minutes

CloudFront integration provides global SSL termination at edge locations, improving both security and performance. Modern TLS security policies enforce TLS 1.2 or 1.3 with strong cipher suites, and CloudFront now supports post-quantum cryptography with TLS 1.3.

Console Steps

4.1 Create or Edit CloudFront Distribution

  • Navigate to CloudFront service in AWS Console
  • Click "Create Distribution" or edit existing distribution
  • Configure origin settings for your website/ALB/S3

4.2 Configure SSL Certificate

  • In "Settings" section, find "Custom SSL certificate"
  • Select your ACM certificate from the dropdown
  • Certificate must be in us-east-1 region to appear in list

4.3 Select Security Policy

  • Choose "Security policy" for minimum TLS version
  • Recommended: TLSv1.2_2021 (balanced security and compatibility)
  • Maximum Security: TLSv1.3_2025 or TLSv1.2_2025 (newest policies)
  • Set "Supported HTTP versions" to HTTP/2 and HTTP/3
💡
TLS 1.3 Benefits: CloudFront's TLSv1.3_2025 policy supports post-quantum cryptography (quantum-safe key exchanges), providing protection against future quantum computer attacks on encrypted traffic.

4.4 Configure Alternate Domain Names

  • In "Alternate domain names (CNAMEs)" field
  • Enter: example.com
  • Add: www.example.com
  • Domain names must match those in your certificate

4.5 Enable HTTPS Redirect

  • Set "Viewer Protocol Policy" to "Redirect HTTP to HTTPS"
  • This ensures all traffic uses SSL encryption
  • Click "Create Distribution" or "Save Changes"

AWS CLI Method

AWS CLI - Create CloudFront Distribution with ACM Certificate 
# Create CloudFront distribution configuration
aws cloudfront create-distribution \
    --distribution-config '{
        "CallerReference": "ssl-setup-2026",
        "Comment": "Production distribution with ACM SSL",
        "Enabled": true,
        "Origins": {
            "Quantity": 1,
            "Items": [{
                "Id": "primary-origin",
                "DomainName": "origin.example.com",
                "CustomOriginConfig": {
                    "HTTPPort": 80,
                    "HTTPSPort": 443,
                    "OriginProtocolPolicy": "https-only",
                    "OriginSslProtocols": {
                        "Quantity": 1,
                        "Items": ["TLSv1.2"]
                    }
                }
            }]
        },
        "DefaultCacheBehavior": {
            "TargetOriginId": "primary-origin",
            "ViewerProtocolPolicy": "redirect-to-https",
            "AllowedMethods": {
                "Quantity": 2,
                "Items": ["GET", "HEAD"]
            },
            "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6"
        },
        "ViewerCertificate": {
            "ACMCertificateArn": "arn:aws:acm:us-east-1:ACCOUNT:certificate/CERT-ID",
            "SSLSupportMethod": "sni-only",
            "MinimumProtocolVersion": "TLSv1.2_2021"
        },
        "Aliases": {
            "Quantity": 2,
            "Items": ["example.com", "www.example.com"]
        }
    }'

Update DNS to Point to CloudFront

AWS CLI - Configure DNS Records for CloudFront 
# After CloudFront deployment completes (5-15 minutes)
# Copy the CloudFront domain name: d123456789.cloudfront.net

# Route 53: Create ALIAS record for apex domain
aws route53 change-resource-record-sets \
    --hosted-zone-id Z1234567890ABC \
    --change-batch '{
        "Changes": [{
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "example.com",
                "Type": "A",
                "AliasTarget": {
                    "HostedZoneId": "Z2FDTNDATAQYW2",
                    "DNSName": "d123456789.cloudfront.net",
                    "EvaluateTargetHealth": false
                }
            }
        }]
    }'

# Create CNAME for www subdomain
aws route53 change-resource-record-sets \
    --hosted-zone-id Z1234567890ABC \
    --change-batch '{
        "Changes": [{
            "Action": "UPSERT",
            "ResourceRecordSet": {
                "Name": "www.example.com",
                "Type": "CNAME",
                "TTL": 300,
                "ResourceRecords": [{"Value": "d123456789.cloudfront.net"}]
            }
        }]
    }'
SSL Integration Complete: Your website now uses AWS-managed SSL certificates with automatic renewal, global edge termination, and modern TLS security policies.

Validate Your SSL/TLS Configuration

Complete these verification steps to ensure your SSL setup is working correctly and will maintain security over time:

SSL Testing Commands

Bash - SSL Certificate Validation Script 
#!/bin/bash
# SSL Certificate Validation Script

DOMAIN="example.com"

echo "=== SSL Certificate Validation ==="

# Test HTTPS connection
echo -e "\n1. Testing HTTPS connection..."
curl -sI "https://${DOMAIN}" | head -5

# Check certificate details
echo -e "\n2. Certificate details..."
echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2>/dev/null | \
    openssl x509 -noout -subject -issuer -dates

# Verify certificate chain
echo -e "\n3. Certificate chain..."
echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2>/dev/null | \
    grep -E "^(Certificate chain| [0-9]+ s:)"

# Check TLS version
echo -e "\n4. TLS version in use..."
echo | openssl s_client -connect ${DOMAIN}:443 -servername ${DOMAIN} 2>/dev/null | \
    grep "Protocol  :"

# Test HTTP to HTTPS redirect
echo -e "\n5. HTTP redirect test..."
curl -sI "http://${DOMAIN}" | grep -E "^(HTTP|Location)"

echo -e "\n=== Validation Complete ==="

Online Testing Tools

  • SSL Labs Server Test: https://www.ssllabs.com/ssltest/ - Comprehensive SSL analysis with grade
  • SSL Shopper: https://www.sslshopper.com/ssl-checker.html - Quick certificate verification
  • SecurityHeaders.com: https://securityheaders.com - Check security headers including HSTS

Common SSL/TLS Mistakes to Avoid

Requesting certificates outside us-east-1 for CloudFront. CloudFront only accepts ACM certificates from the N. Virginia region regardless of where your origin is located. Always request CloudFront certificates in us-east-1.

Removing DNS validation records after certificate issuance. ACM needs these CNAME records to automatically renew certificates 60 days before expiration. Deleting them causes renewal failures.

Using outdated TLS policies for backward compatibility. TLSv1.0 and TLSv1.1 have known vulnerabilities. Use TLSv1.2_2021 as minimum baseline, or TLSv1.2_2025/TLSv1.3_2025 for maximum security.

Assuming auto-renewal always works without monitoring. DNS changes, CAA record issues, or AWS service disruptions can cause renewal failures. Always configure CloudWatch alarms and SNS notifications.

Not associating certificates with AWS services. Certificates not attached to CloudFront, ALB, or API Gateway are not eligible for automatic renewal. Always associate certificates immediately after validation.

Want Continuous SSL/TLS Security Monitoring?

Don't wait for certificate expiration to bring down your services. AWSight provides continuous monitoring of your SSL/TLS certificates, expiration dates, and security configurations—alerting you before issues become outages.

View Pricing Plans Browse All Tutorials

References