Why can't I configure ACM certificates for my website hosted on an EC2 instance?

3 minute read
1

I want to configure AWS Certificate Manager (ACM) certificates for my website hosted on an Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Configuring an Amazon Issued ACM public certificate for a website that's hosted on an EC2 instance requires exporting the certificate. However, you can't export the certificate because ACM manages the private key that signs and creates the certificate. For more information, see Security for certificate private keys.

Instead, you can associate an ACM certificate with a load balancer or an ACM SSL/TLS certificate with a CloudFront distribution. Before you begin, follow the instructions for requesting a public certificate.

Note: You must request or import an ACM certificate in the same AWS Region as your load balancer. CloudFront distributions must request the certificate in the US East (N. Virginia) Region.

Resolution

Follow these steps to associate your certificate:

  1. Create an Application Load Balancer, Network Load Balancer, Classic Load Balancer, or CloudFront distribution.
    Note: If you already have an Application Load Balancer, Network Load Balancer, Classic Load Balancer, or CloudFront distribution, then you can skip this step.
  2. Associate the certificate with your ELB, or configure a CloudFront distribution to use an SSL/TLS certificate.
  3. Put the EC2 instance behind your ELB or CloudFront distribution.
  4. Route traffic to your ELB or CloudFront distribution.

Create an ELB or CloudFront distribution

Follow the instructions for your use case:

Associate the certificate with ELB or configure it with a CloudFront distribution

Follow the instructions for your use case:

Put the EC2 instance behind your ELB or CloudFront distribution

Follow the instructions for your use case:

Route traffic to your ELB or CloudFront distribution

Follow the instructions for your use case:

Note: Public ACM certificates can be installed on Amazon EC2 instances that are connected to a Nitro Enclave, but not to other Amazon EC2 instances.


Related information

Email validation

DNS validation

Making Amazon Route 53 the DNS service for an existing domain

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
2 Comments

I used to follow the described setup in the free tier to test out a fun project of mine for the last couple of months but that's not the case anymore. As AWS started charging for public IPV4 addresses, and Application Load Balancers need public IPV4 addresses. Is there a way to still use the ACM certificate without being billed for the public addresses?

Satish
replied 2 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 months ago