I want to configure AWS Certificate Manager (ACM) certificates for my website hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance.
Short description
Configuring an Amazon Issued ACM public certificate for a website that's hosted on an EC2 instance requires exporting the certificate. However, you can't export the certificate because ACM manages the private key that signs and creates the certificate. For more information, see Security for certificate private keys.
Instead, you can associate an ACM certificate with a load balancer or an ACM SSL/TLS certificate with a CloudFront distribution. Before you begin, follow the instructions for requesting a public certificate.
Note: You must request or import an ACM certificate in the same AWS Region as your load balancer. CloudFront distributions must request the certificate in the US East (N. Virginia) Region.
Resolution
Follow these steps to associate your certificate:
- Create an Application Load Balancer, Network Load Balancer, Classic Load Balancer, or CloudFront distribution.
Note: If you already have an Application Load Balancer, Network Load Balancer, Classic Load Balancer, or CloudFront distribution, then you can skip this step.
- Associate the certificate with your ELB, or configure a CloudFront distribution to use an SSL/TLS certificate.
- Put the EC2 instance behind your ELB or CloudFront distribution.
- Route traffic to your ELB or CloudFront distribution.
Create an ELB or CloudFront distribution
Follow the instructions for your use case:
Associate the certificate with ELB or configure it with a CloudFront distribution
Follow the instructions for your use case:
Put the EC2 instance behind your ELB or CloudFront distribution
Follow the instructions for your use case:
Route traffic to your ELB or CloudFront distribution
Follow the instructions for your use case:
Note: Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave, but not to other Amazon EC2 instances.
Related information
Email validation
DNS validation
Making Amazon Route 53 the DNS service for an existing domain