How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service

Bhavik Joshi picture Bhavik Joshi · Jan 22, 2016 · Viewed 71.8k times · Source

AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.

They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.

Is there any way to use the certificate with EC2?

Answer

Michael - sqlbot picture Michael - sqlbot · Jan 22, 2016

Q: Can I use certificates on Amazon EC2 instances or on my own servers?

No. At this time, certificates provided by ACM can only be used with specific AWS services.


Q: With which AWS services can I use certificates provided by ACM?

You can use ACM with the following AWS services:

• Elastic Load Balancing

• Amazon CloudFront

• AWS Elastic Beanstalk

• Amazon API Gateway

https://aws.amazon.com/certificate-manager/faqs/

You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.

You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.