AWS Certificate Manager Tutorial: SSL/TLS Security Made Simple | AWSight
AWSight
AWS Security Insights

AWS Certificate Manager Tutorial: SSL/TLS Security Made Simple

How to set up automatic SSL certificate management and prevent the $2.8M mistake that killed an e-commerce company's holiday sales

πŸ“… Published: January 2025
⏱️ Read time: 12 minutes
πŸ”§ Implementation: 25 minutes
🎯 Difficulty: Intermediate

🚨 The $2.8 Million SSL Certificate Disaster

On November 23, 2024 a growing e-commerce company discovered their website was showing "Not Secure" warnings to customers. Their SSL certificate had expired at 2:47 AM, right before the biggest shopping day of the year.

$2.8M

in lost revenue during their 18-hour outage, plus permanent damage to customer trust and search rankings.

The worst part? This was completely preventable with AWS Certificate Manager's automatic renewal feature that they never enabled.

31%
of websites still use manual SSL management
67%
of SSL outages are due to expired certificates
$890K
average cost of SSL-related downtime
45 sec
time users wait before leaving unsecure sites

🎯 Want Our Complete AWS Security Checklist?

SSL certificates are just one piece of the security puzzle. Get our comprehensive 20-point security checklist that covers all critical AWS configurations to prevent costly security incidents.

πŸ“₯ Download Free Security Checklist πŸ” Get Free 72-Hour Security Assessment

🎯 Why Manual SSL Certificate Management is Dangerous

SSL/TLS certificates are critical for website security, but managing them manually creates significant risks that can devastate your business. AWS Certificate Manager (ACM) eliminates these risks through automation.

The Hidden Costs of Manual SSL Management

Aspect Manual SSL Management AWS Certificate Manager
Certificate Cost $100-$500 per certificate annually Free for AWS services
Renewal Process Manual, error-prone, requires downtime Automatic, zero-downtime
Expiration Risk High - human error likely Zero - fully automated
Security Keys stored manually, potential exposure AWS manages all keys securely
Maintenance Time 4-8 hours per certificate renewal Zero maintenance required
⚠️ Critical Insight: According to the 2024 SSL Security Report, 67% of SSL-related outages are caused by expired certificates, and the average business loses $890,000 during SSL-related downtime incidents.

The Three Most Dangerous SSL Misconfigurations

1
Manual Certificate Renewal

Relying on manual processes to renew certificates creates a single point of failure. Teams forget renewal dates, vacation schedules interfere, and certificates expire during critical business periods.

2
Self-Signed or Invalid Certificates

Using self-signed certificates or certificates from untrusted authorities triggers browser warnings, destroys user confidence, and severely impacts SEO rankings and conversion rates.

3
Insecure Private Key Management

Storing private keys in code repositories, shared drives, or unencrypted locations creates massive security vulnerabilities that can lead to complete domain compromise.

1
Request SSL Certificate in ACM (5 minutes)

Prerequisites:

  • AWS account with appropriate permissions
  • Domain name you want to secure
  • Access to domain DNS settings or email
  • CloudFront or ALB for certificate attachment
⚠️ Important: ACM certificates can only be used with AWS services (CloudFront, ALB, API Gateway). For EC2 instances, you'll need to export the certificate or use a different approach.

Console Steps:

1.1 Navigate to Certificate Manager

  • Sign in to AWS Console
  • Search for "Certificate Manager" in the services search
  • Click on "AWS Certificate Manager"
  • Important: Ensure you're in the correct region (us-east-1 for CloudFront)

1.2 Request Public Certificate

  • Click "Request a certificate"
  • Select "Request a public certificate"
  • Click "Next"

1.3 Add Domain Names

  • Enter your fully qualified domain name: example.com
  • Click "Add another name to this certificate"
  • Add wildcard subdomain: *.example.com
  • This covers both your main domain and all subdomains
# Domain names to include in certificate Primary domain: example.com Wildcard domain: *.example.com # This configuration covers: - example.com - www.example.com - api.example.com - admin.example.com - Any subdomain.example.com

1.4 Select Validation Method

  • DNS validation (Recommended): Automatically validates if using Route 53
  • Email validation: Requires manual approval via email
  • Choose "DNS validation" for automation
  • Click "Next"

1.5 Add Tags and Review

  • Add tags for organization:
  • Key: Environment, Value: Production
  • Key: Project, Value: Website
  • Key: Owner, Value: Security-Team
  • Click "Review" then "Confirm and request"
βœ… Certificate Requested! Your certificate is now in "Pending validation" status. Next, we'll validate domain ownership.
2
Validate Domain Ownership (10 minutes)

Domain validation proves you control the domain before AWS issues the certificate. DNS validation is preferred for automation.

DNS Validation Steps:

2.1 View Certificate Details

  • In ACM console, click on your pending certificate
  • You'll see domains in "Pending validation" status
  • Each domain shows required DNS records

2.2 Add DNS Records (Route 53 Method)

  • Click "Create record in Route 53" button for each domain
  • Click "Create records"
  • AWS automatically adds the required CNAME records
  • Validation typically completes within 5-10 minutes
βœ… Route 53 Advantage: If your domain uses Route 53 for DNS, ACM can automatically create validation records with one click.

2.3 Manual DNS Configuration (Other DNS Providers)

  • Copy the CNAME record details from ACM console
  • Log in to your DNS provider (GoDaddy, Cloudflare, etc.)
  • Create CNAME records with the provided values
  • Wait for DNS propagation (5-30 minutes)
# Example DNS validation records # Add these CNAME records to your DNS provider Record Type: CNAME Name: _acme-challenge.example.com Value: _abc123.acm-validations.aws. Record Type: CNAME Name: _acme-challenge.www.example.com Value: _def456.acm-validations.aws.

2.4 Verify Validation Completion

  • Return to ACM console
  • Refresh the certificate details page
  • Status should change to "Issued" when validation completes
  • This can take 5-30 minutes depending on DNS propagation
# Check DNS propagation status dig _acme-challenge.example.com # Verify CNAME record is resolving correctly nslookup _acme-challenge.example.com
⚠️ Troubleshooting: If validation fails, check that DNS records are correctly configured and have propagated. Use online DNS checkers to verify record visibility globally.
3
Configure Automatic Renewal (3 minutes)

AWS Certificate Manager automatically renews certificates before expiration, but proper configuration ensures seamless operation.

Auto-Renewal Configuration:

3.1 Verify Auto-Renewal is Enabled

  • ACM certificates automatically renew by default
  • Renewal attempts begin 60 days before expiration
  • No manual configuration required for basic auto-renewal
  • Ensure DNS validation records remain in place
βœ… Automatic Magic: ACM handles the entire renewal process automatically, including updating certificates attached to AWS services.

3.2 Set Up Renewal Monitoring

  • Navigate to CloudWatch service
  • Create alarms for certificate renewal events
  • Monitor certificate expiration dates
  • Set up SNS notifications for renewal failures
# AWS CLI command to create CloudWatch alarm for certificate expiration aws cloudwatch put-metric-alarm \ --alarm-name "SSL-Certificate-Expiring" \ --alarm-description "Alert when SSL certificate expires soon" \ --metric-name DaysToExpiry \ --namespace AWS/CertificateManager \ --statistic Minimum \ --period 86400 \ --threshold 30 \ --comparison-operator LessThanThreshold \ --dimensions Name=CertificateArn,Value=arn:aws:acm:region:account:certificate/certificate-id

3.3 Configure Renewal Notifications

  • Create SNS topic for certificate notifications
  • Subscribe security team emails to the topic
  • Configure CloudWatch to send alerts for renewal issues
# Create SNS topic for certificate alerts aws sns create-topic --name certificate-renewal-alerts # Subscribe email to receive notifications aws sns subscribe \ --topic-arn arn:aws:sns:region:account:certificate-renewal-alerts \ --protocol email \ --notification-endpoint security@yourcompany.com
⚠️ Critical: Auto-renewal only works if the original validation method remains available. For DNS validation, keep the validation CNAME records in your DNS configuration permanently.
AWS Certificate Manager Tutorial: SSL/TLS Security Made Simple | AWSight
4
Integrate with CloudFront (7 minutes)

CloudFront integration provides global SSL termination and improved performance for your websites and APIs.

CloudFront SSL Configuration:

4.1 Create CloudFront Distribution

  • Navigate to CloudFront service in AWS Console
  • Click "Create Distribution"
  • Configure origin settings for your website/API
  • Set origin domain to your website or ALB

4.2 Configure SSL Settings

  • In "Settings" section, find "Custom SSL certificate"
  • Select your ACM certificate from the dropdown
  • Choose "Security policy" (recommend TLSv1.2_2021)
  • Set "Supported HTTP versions" to HTTP/2 and HTTP/3

4.3 Configure Domain Names

  • In "Alternate domain names (CNAMEs)" field
  • Enter: example.com
  • Add: www.example.com
  • These must match your certificate domains
# CloudFront distribution configuration via AWS CLI aws cloudfront create-distribution \ --distribution-config '{ "CallerReference": "ssl-setup-2025", "Origins": { "Quantity": 1, "Items": [{ "Id": "origin1", "DomainName": "origin.example.com", "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "https-only" } }] }, "DefaultCacheBehavior": { "TargetOriginId": "origin1", "ViewerProtocolPolicy": "redirect-to-https" }, "ViewerCertificate": { "ACMCertificateArn": "arn:aws:acm:us-east-1:account:certificate/cert-id", "SSLSupportMethod": "sni-only" }, "Aliases": { "Quantity": 2, "Items": ["example.com", "www.example.com"] } }'

4.4 Enable HTTPS Redirect

  • Set "Viewer Protocol Policy" to "Redirect HTTP to HTTPS"
  • This ensures all traffic uses SSL encryption
  • Improves SEO rankings and security posture
  • Click "Create Distribution"

4.5 Update DNS to Point to CloudFront

  • Wait for CloudFront distribution to deploy (5-15 minutes)
  • Copy the CloudFront domain name (e.g., d123456789.cloudfront.net)
  • Update your DNS records:
  • Create CNAME record: www.example.com β†’ d123456789.cloudfront.net
  • For apex domain, use Route 53 ALIAS or A record to CloudFront
βœ… SSL Active: Your website now uses AWS-managed SSL certificates with automatic renewal and global distribution via CloudFront.

Validation: Verify Your SSL Configuration

Complete these checks to ensure your SSL setup is working correctly:

  • Certificate Status: Verify certificate shows "Issued" status in ACM console.
  • HTTPS Access: Test https://yoursite.com loads without security warnings.
  • HTTP Redirect: Confirm http://yoursite.com redirects to HTTPS version.
  • Certificate Details: Check browser shows valid certificate issued by Amazon.
  • Subdomain Coverage: Test various subdomains work with SSL.
  • Mobile Testing: Verify SSL works on mobile devices and different browsers.

SSL Testing Tools and Commands

# Test SSL certificate using OpenSSL openssl s_client -connect example.com:443 -servername example.com # Check certificate expiration date echo | openssl s_client -connect example.com:443 2>/dev/null | \ openssl x509 -noout -dates # Test SSL configuration and grade curl -I https://example.com # Verify certificate chain openssl s_client -connect example.com:443 -showcerts

Online SSL Testing Tools

  • SSL Labs: https://www.ssllabs.com/ssltest/ - Comprehensive SSL analysis
  • SSL Shopper: https://www.sslshopper.com/ssl-checker.html - Quick certificate check
  • DigiCert: https://www.digicert.com/help/ - Certificate installation checker
  • GeoCerts: https://www.geocerts.com/ssl-checker - SSL certificate tester
5
Set Up Certificate Monitoring (5 minutes)

Proactive monitoring ensures you're alerted to any SSL-related issues before they impact users.

CloudWatch SSL Monitoring:

5.1 Create Certificate Expiration Dashboard

  • Navigate to CloudWatch β†’ Dashboards
  • Create new dashboard: "SSL Certificate Monitoring"
  • Add widgets for certificate metrics
  • Monitor DaysToExpiry metric for all certificates
# CloudWatch metric query for certificate monitoring aws cloudwatch get-metric-statistics \ --namespace AWS/CertificateManager \ --metric-name DaysToExpiry \ --dimensions Name=CertificateArn,Value=arn:aws:acm:region:account:certificate/cert-id \ --statistics Minimum \ --start-time 2025-01-01T00:00:00Z \ --end-time 2025-01-31T23:59:59Z \ --period 86400

5.2 Configure External Monitoring

  • Set up external SSL monitoring with tools like:
  • Pingdom: SSL certificate expiration monitoring
  • UptimeRobot: Free SSL certificate monitoring
  • StatusCake: SSL certificate alerts
  • Site24x7: Comprehensive SSL monitoring

5.3 Create Custom Health Checks

#!/bin/bash # SSL Certificate Health Check Script DOMAIN="example.com" THRESHOLD_DAYS=30 # Get certificate expiration date EXPIRY_DATE=$(echo | openssl s_client -connect $DOMAIN:443 -servername $DOMAIN 2>/dev/null | \ openssl x509 -noout -enddate | cut -d= -f2) # Calculate days until expiration EXPIRY_EPOCH=$(date -d "$EXPIRY_DATE" +%s) CURRENT_EPOCH=$(date +%s) DAYS_UNTIL_EXPIRY=$(( ($EXPIRY_EPOCH - $CURRENT_EPOCH) / 86400 )) # Alert if certificate expires soon if [ $DAYS_UNTIL_EXPIRY -lt $THRESHOLD_DAYS ]; then echo "WARNING: SSL certificate for $DOMAIN expires in $DAYS_UNTIL_EXPIRY days" # Send alert via SNS, Slack, or email aws sns publish \ --topic-arn arn:aws:sns:region:account:ssl-alerts \ --message "SSL certificate for $DOMAIN expires in $DAYS_UNTIL_EXPIRY days" else echo "SSL certificate for $DOMAIN is valid for $DAYS_UNTIL_EXPIRY days" fi

Common Issues and Solutions

Issue 1: Certificate Validation Failing

Symptoms: Certificate stuck in "Pending validation" status

Solutions:

  • Verify DNS records are correctly configured
  • Check DNS propagation with online tools
  • Ensure no CNAME conflicts exist
  • Wait up to 72 hours for DNS propagation

Issue 2: CloudFront Not Using Certificate

Symptoms: Certificate issued but CloudFront shows SSL errors

Solutions:

  • Ensure certificate is in us-east-1 region for CloudFront
  • Verify domain names match exactly
  • Check alternate domain names (CNAMEs) configuration
  • Wait for CloudFront distribution deployment

Issue 3: Auto-Renewal Failing

Symptoms: Certificate expired despite auto-renewal being enabled

Solutions:

  • Verify DNS validation records still exist
  • Check CloudTrail logs for renewal attempt failures
  • Ensure domain hasn't changed DNS providers
  • Review ACM service notifications in AWS Health Dashboard
⚠️ Pro Tip: Always test SSL configuration in a staging environment before applying to production. Use AWS Certificate Manager's testing features to validate your setup.

Advanced SSL Configuration

Multi-Region Certificate Deployment

For global applications requiring certificates in multiple regions:

# Request certificates in multiple regions for ALB # US East (N. Virginia) - for CloudFront aws acm request-certificate \ --domain-name example.com \ --subject-alternative-names *.example.com \ --validation-method DNS \ --region us-east-1 # US West (Oregon) - for ALB in us-west-2 aws acm request-certificate \ --domain-name example.com \ --subject-alternative-names *.example.com \ --validation-method DNS \ --region us-west-2 # Europe (Ireland) - for ALB in eu-west-1 aws acm request-certificate \ --domain-name example.com \ --subject-alternative-names *.example.com \ --validation-method DNS \ --region eu-west-1

Integration with Application Load Balancer

Configure SSL termination at the load balancer level:

# Create HTTPS listener for ALB aws elbv2 create-listener \ --load-balancer-arn arn:aws:elasticloadbalancing:region:account:loadbalancer/app/my-alb \ --protocol HTTPS \ --port 443 \ --certificates CertificateArn=arn:aws:acm:region:account:certificate/cert-id \ --ssl-policy ELBSecurityPolicy-TLS-1-2-2017-01 \ --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:region:account:targetgroup/my-targets

API Gateway SSL Configuration

Secure your APIs with custom domain names:

# Create custom domain name for API Gateway aws apigateway create-domain-name \ --domain-name api.example.com \ --certificate-arn arn:aws:acm:us-east-1:account:certificate/cert-id \ --security-policy TLS_1_2 \ --endpoint-configuration types=EDGE

Ready to Secure Your Entire AWS Infrastructure?

SSL certificates are just the beginning. Get our comprehensive security assessment to identify all vulnerabilities in your AWS environment and prevent costly security incidents.

Get Free 72-Hour Security Assessment Calculate Your Security ROI Download Complete Security Checklist

SSL Certificate Best Practices

βœ… Best Practice #1: Always use wildcard certificates (*.example.com) to cover all subdomains with a single certificate.
βœ… Best Practice #2: Keep DNS validation records permanent in your DNS configuration to ensure smooth auto-renewal.
βœ… Best Practice #3: Use CloudFront for global SSL termination and improved performance, even for single-region applications.
βœ… Best Practice #4: Implement HSTS (HTTP Strict Transport Security) headers to prevent downgrade attacks.
βœ… Best Practice #5: Monitor certificate health externally using third-party services to catch AWS-specific issues.

References and Further Reading

Don't Let SSL Certificate Outages Kill Your Business

Manual certificate management is risky and expensive. AWSight automatically monitors your SSL certificates, DNS configurations, and security posture across your entire AWS environment, preventing costly outages before they happen.

Start Free Security Assessment View Pricing Plans