A GUIDE TO NAILING SSL/TLS CERTIFICATES WITH AWS CERTIFICATE MANAGER (WITHOUT LOSING YOUR MIND)

First time I tangled with AWS Certificate Manager, I nearly chucked my laptop out the window. All I wanted was a secure site, and suddenly I’m knee-deep in exports, PEMs, and passphrases. If you’ve ever felt the same, pull up a brew and have a squiz at this walkthrough. We’ll get those SSL certificates sorted, even if you’ve never spelled “TLS” before.

How AWS Certificate Manager Made Me (Almost) Ditch My Old Tools

If you’ve ever spent a Sunday arvo wrestling with SSL/TLS certificate renewals, OpenSSL commands, or dodgy scripts just to keep your site secure, you’ll know the pain. I’ve been there—copy-pasting PEM blobs, setting reminders for expiry dates, and cursing at mysterious browser warnings. Then I stumbled across AWS Certificate Manager (ACM), and honestly, it’s made me rethink the whole certificate game. Here’s how ACM made me (almost) ditch my old tools for good.

From Manual Wrangling to “Click-and-Forget” Certificates

Before ACM, my SSL/TLS certificate workflow was a patchwork of manual steps and half-baked automation. I’d generate a CSR, upload it to a CA, wait for approval, download the cert, and then hope I didn’t stuff up the chain when deploying. Renewals? Don’t get me started. With AWS Certificate Manager, most of that hassle just… vanished.

• Requesting a certificate is as simple as picking your domain and clicking a button.
• Validation is handled via DNS or email—no more awkward phone calls or faxes (yes, some CAs still do that!).
• Automatic renewals mean I don’t have to set calendar reminders or risk an expired cert bringing down my site.

Honestly, it’s a breath of fresh air compared to the old way.

Public vs Private Certificates: What ACM Lets You Do (and What It Won’t)

One of the first things I noticed is that AWS Certificate Manager handles both public and private SSL/TLS certificates, but there are some catches:

• Public certificates are free. Yep, you read that right—no extra cost for securing your public-facing services. This is a massive win for anyone running websites, APIs, or load balancers on AWS.
• Private certificates are a different story. To issue these, you’ll need the AWS Private CA service, which isn’t free. If you’re running internal services or want to manage your own trust chain, be ready for some extra charges.

So, while ACM is brilliant for public certs, it’s not a one-stop shop for all your private PKI needs unless you’re happy to pay for the privilege.

First-Timer’s Surprise: AWS Certificate Manager Pricing

Here’s the bit that caught me off guard: AWS Certificate Manager pricing is a mixed bag. Public SSL/TLS certificates? Free as a bird. But the moment you want to spin up a private CA, the meter starts running. You pay for the CA itself (monthly), plus a fee for each private certificate issued. If you’re only after public certs, you’re golden. But if you need private certs for internal apps, factor in those costs before you go all-in.

Exporting Certificates: Not All Certs Are Created Equal

One thing I wish I’d known earlier: not all exported certificates are created equal. If you plan to use your SSL/TLS certificate outside AWS (say, on a third-party server or device), you need to mark the certificate as exportable when you request it. If you forget, you’re out of luck—there’s no way to make a non-exportable cert exportable after the fact.

• Exported certs come in PEM encoding by default, which works for most systems.
• Only certain types of certificates can be exported, and you have to tick the right box at the start.

So, if you’re planning to use ACM as your one-stop cert shop, keep this gotcha in mind. It’s a small step, but it can save you a world of pain later on.

“ACM took the stress out of SSL/TLS management, but knowing the limits (and costs) up front is key to avoiding surprises.”

Requesting a Public SSL/TLS Certificate: The DNS Validation Tango

Alright, mate, let’s get stuck into the heart of the matter: actually requesting a public SSL/TLS certificate using AWS Certificate Manager (ACM). If you’ve ever tried to wrangle certificates before, you’ll know it can feel like learning the tango—one misstep and you’re flat on your face. But with ACM, it’s a bit more like a slow waltz, especially if you stick to DNS validation. Here’s how I nail it every time, without losing my mind (or my weekend).

Tick the Right Boxes: Public Certificate Selection in AWS Certificate Manager’s Wizard

First up, jump into the AWS Certificate Manager console. You’ll see an option to Request a certificate. Click that, and you’ll be greeted by a wizard that asks what sort of certificate you’re after. For anything that’s going to be exposed to the big, bad internet, you want a public certificate. Private certificates are a different beast and not what we’re after here.

So, select Request a public certificate and hit Next. Now, you’ll need to fill in your domain name(s)—the ones you want to secure. Wildcards are fair game here too (e.g., *.yourdomain.com), if you want to cover all your subdomains in one go. Once you’ve entered your details, it’s time for the real dance: domain validation.

DNS vs Email Validation: Why DNS Often Saves Headaches

At this point, ACM gives you two choices for proving you own the domain: DNS validation or email validation. Now, I avoid email validation like the plague. Why? Because it’s a pain—emails get lost, you have to chase down whoever owns the admin@ or webmaster@ inbox, and it’s just more faff than it’s worth.

DNS validation, on the other hand, is a breeze. ACM generates a special DNS record (a CNAME) that you add to your domain’s DNS settings. Once that record is in place, AWS can automatically check that you control the domain. No waiting for emails, no chasing people—just a quick update to your DNS host and you’re off.

Add That Pesky DNS Record to Your Domain’s Host, Then Wait (and Wait)

After you choose DNS validation, ACM will spit out the exact DNS record you need to add. It’ll look something like this:


Name: _abc123.yourdomain.com.
Type: CNAME
Value: _xyz456.acm-validations.aws.


Copy those details and head over to your DNS provider (could be Route 53, GoDaddy, Cloudflare—whatever you use). Add the CNAME record exactly as ACM gave it to you. Double-check for typos—one wrong character and you’ll be waiting forever.

Now, here’s where the patience comes in. DNS changes can take a while to propagate. Sometimes it’s five minutes, sometimes it’s an hour. Grab a cuppa, do a little dance, and check back in the ACM console.

The Ritual of Checking Certificate Status Until ‘Issued’ Finally Appears

Once you’ve added the DNS record, the certificate status in ACM will show as Pending validation. Refresh the page every so often (I won’t judge if you’re a compulsive refresher—it happens to the best of us). As soon as AWS detects the DNS record, the status will flip to Issued. That’s your green light—the certificate is ready to use.

• Tip: If it’s stuck on pending for ages, double-check your DNS record. Tools like dig or nslookup can help you see if it’s visible to the world.
• Remember: No valid domain validation, no certificate. It’s the make-or-break step in the whole process.

And that’s the DNS validation tango in AWS Certificate Manager. Once you’ve got that ‘Issued’ status, you’re ready for the next step: actually using your shiny new public certificate.

Why Exportable Certificates Matter (and Why They Can Catch You Out)

Let’s talk about one of the sneakiest little traps in AWS Certificate Manager (ACM): the exportable certificate option. If you’re anything like me, you might have powered through the SSL/TLS certificate request process, only to realise later that you need the certificate somewhere outside AWS—maybe for a load balancer, a legacy server, or a mate’s Docker container. Here’s the kicker: unless you ticked that ‘exportable’ box when you first requested the cert, you’re out of luck. And trust me, I’ve been there—redoing the whole process because I missed one tiny checkbox. Learn from my pain, folks.

What Does ‘Exportable’ Actually Mean?

When you request a certificate in ACM, you get the option to make it exportable. This means you can later download the certificate’s private key, certificate body, and certificate chain. If you don’t tick this at the start, ACM locks it down tight. No export, no workaround, no sneaky hacks. You’ll be spinning your wheels trying to get that private key out, but it’s not going to happen.

• Exportable = You can download the private key
• Not exportable = Stuck inside AWS forever

So, if you think you might ever need this certificate outside of AWS (even if it’s just a “maybe”), tick that box. It’s set at the certificate request stage—miss it, and you’ll be back at square one.

The Export Process: What You Actually Get

Assuming you’ve done the right thing and made your SSL/TLS certificate exportable, here’s what happens next:

1. Head to ACM, find your certificate ID, and hit the export button.
2. You’ll be prompted to set an encryption passphrase. This is crucial—it encrypts your private key so only someone with the passphrase can use it. Don’t use something obvious, and for the love of all things secure, don’t post it in Slack or email it around.
3. Once you enter your passphrase (and confirm it), ACM generates the files in PEM encoding. This is the standard format for SSL/TLS certificates and is required for cross-platform compatibility. If you’re moving certificates between servers, Docker containers, or different cloud providers, PEM is what you want.
4. You’ll get a zip file with:
   • Certificate body (your actual cert)
   • Certificate chain (the intermediate certs)
   • Private key (encrypted with your passphrase)

Why PEM Encoding?

PEM encoding is the industry standard for SSL/TLS certificate portability. It’s basically a base64-encoded format wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines. Most servers, proxies, and cloud platforms expect PEM files, so ACM does the right thing by exporting in this format by default.

Don’t Forget the Passphrase!

When you export, ACM asks for an encryption phrase. This is used to encrypt your private key file. If you forget it, you won’t be able to use the key outside AWS. If you share it, you’re basically handing over the keys to your kingdom. Choose something secure, memorable (but not guessable), and keep it safe.

Bottom line: certificate export in ACM is a lifesaver—but only if you set it up right from the start. Don’t let the exportable checkbox catch you out.

Decrypting the Private Key: Command Line Adventures (and Curses)

Alright, mate – you’ve wrangled your SSL/TLS certificate from AWS Certificate Manager (ACM) and now you’re staring down the next hurdle: decrypting the private key with OpenSSL. If you’re anything like me, this is where the real “fun” begins. Grab your certificate bundle, steel your nerves, and get ready for a bit of terminal tomfoolery. Let’s break it down so you don’t lose your mind (or your weekend).

Step 1: Download Your Certificate Bundle and Save the Private Key

First things first: log in to AWS, export your certificate bundle, and make sure you’ve got your private key in PEM format. This file is usually called something like private-key.pem. Save it somewhere safe on your local machine or, better yet, a secure VPS running Ubuntu (or any Unix/Linux flavour). If you’re on Windows, you can use WSL or a similar terminal emulator, but for this guide, I’m sticking with Ubuntu – it’s what I use and trust.

Step 2: Fire Up the Terminal and Prep OpenSSL

Open up your terminal. If you’re not already on your server, SSH in. Now, before you do anything, check that OpenSSL is installed – it’s the standard toolkit for all things cryptography, especially decrypting private key OpenSSL style.

openssl version

If you see a version number, you’re golden. If not, install it:

sudo apt update
sudo apt install openssl

Now, create a new file for your private key if you haven’t already. Open your favourite terminal text editor (I’m a nano bloke):

nano private-key.pem

Paste in your PEM-encoded private key, save, and exit. Easy as.

Step 3: Decrypting the Private Key with OpenSSL

Here’s where the magic (and the cursing) happens. You’ll need the passphrase you set when you exported the certificate from ACM. If you’ve forgotten it, well… let’s hope you haven’t. The command to decrypt your private key is:

openssl rsa -in private-key.pem -out decrypted-key.pem

When you hit Enter, OpenSSL will prompt you for your passphrase. Type it in (don’t worry, it won’t show on screen), and if all goes well, you’ll have a shiny new decrypted-key.pem file ready for action.

Common Pitfalls (and Curses)

• Wrong command? Don’t worry, we’ve all typed open ssl or openssl rsa -in decrypted-key.pem by mistake. Just up-arrow, fix it, and try again.
• Permission denied? Check your file permissions. chmod 600 private-key.pem usually does the trick.
• Forgot your passphrase? Sadly, there’s no way back. You’ll need to re-export from ACM with a new passphrase.

Step 4: Protect and Use Your Decrypted Private Key

Once decrypted, your private key is ready for use with non-AWS servers, control panels (like STS CP), or wherever else you need SSL/TLS. But treat it like gold:

• Set permissions: chmod 600 decrypted-key.pem
• Move it somewhere secure – don’t leave it lying around in your home directory.
• Never share it over email or chat. Ever.

Pro tip: You’ll probably curse at least once during this process. It’s all part of the journey. Terminal skills and patience are essential for secure decryption – and for keeping your sanity intact.

With your decrypted private key in hand, you’re ready to configure your server or control panel. Just remember: mistakes here are common, mildly infuriating, and absolutely normal. Take a breath, double-check your commands, and you’ll nail it.

From ACM to the Real World: Installing SSL on Your Control Panel (The Slightly Anti-Climactic Bit)

Right, so you’ve wrangled AWS Certificate Manager, jumped through the validation hoops, and finally got your shiny new SSL/TLS certificate. Now comes the bit that’s less “Hollywood hacking montage” and more “copy, paste, don’t stuff it up.” But don’t let the simplicity fool you—this is where a lot of folks trip over their own shoelaces. Let’s walk through the final steps of SSL certificate installation, using my trusty STS CP control panel as an example. Yours might be cPanel, Plesk, or something else entirely, but the basics are the same.

First things first: you need three things from ACM—the certificate body, the certificate chain (sometimes called the intermediate certificate), and the decrypted private key. If you’ve just exported your SSL/TLS certificate from AWS Certificate Manager, make sure you’re using the decrypted private key, not the encrypted one. Trust me, mixing these up is a classic rookie error and will have you chasing ghosts in your error logs for hours.

Head over to your control panel. In my case, I’m using STS CP, but the process is similar across most platforms. You’ll usually find an SSL or TLS section where you can add or manage certificates. Here’s the order of operations:

First, copy the certificate body from your ACM export and paste it into the “Certificate” or “Public Certificate” field. This is the main bit that browsers check to see if your site is legit. Next, grab the certificate chain—this is the bit that links your certificate to a trusted root authority. Paste that into the “Certificate Authority Bundle,” “CA Chain,” or similar field. Finally, and most importantly, paste your decrypted private key into the “Private Key” field. If you accidentally paste in the encrypted version, your server will spit the dummy and refuse to start SSL.

Once you’ve got all three artefacts in their rightful places, hit save or apply. With a bit of luck (and no typos), your SSL/TLS certificate should now be live. This is the moment for a quiet fist pump or, if you’re feeling dramatic, a full-on happy dance. Your site should now load over HTTPS, and browsers will show that reassuring padlock.

But before you crack a cold one, there’s one last thing to check. Head back to AWS Certificate Manager and look at your certificate’s status. You want to see “Issued”—that’s your green light. If it’s still stuck on “Pending” or “Validating,” something’s gone walkabout and you’ll need to retrace your steps. Sometimes, control panels take a minute to update, so give it a moment before panicking.

It’s worth noting that no two SSL certificate installations are exactly alike. Different control panels have their own quirks, and sometimes you’ll hit a curveball—maybe a field is named differently, or your host wants the chain and body combined. When in doubt, check your provider’s docs or give their support a bell.

And there you have it. From ACM to the real world, SSL certificate installation is less about wizardry and more about careful copying and pasting. As long as you match the right artefact to the right field—certificate body, certificate chain, and decrypted private key—you’re golden. Always double-check that “Issued” status in AWS Certificate Manager before declaring victory. If you’ve made it this far, you’ve nailed SSL/TLS certificates with ACM—without losing your mind. Cheers!

TL;DR: Don’t sweat SSL certificate headaches—AWS Certificate Manager and a little practical know-how make it much simpler than you’d think. Remember to validate your domain, hang on to your decrypted private keys, and always double-check your server setups. Piece of cake, mate.

If this article helped you in any way and you want to show your appreciation, I am more than happy to receive donations through PayPal. This will help me maintain and improve this website so I can help more people out there. Thank you for your help.