AWS Certificate Manager — SSL/TLS for your ALB

Prerequisites

Before you begin, make sure you have the following:

• An AWS account with access to ACM, Route 53 (for DNS validation), and Elastic Load Balancing.
• An Application Load Balancer running in front of your application.

Request a certificate in ACM

Follow these steps to request an HTTPS certificate for your domain.

1. Open the AWS Management Console.

2. Go to the Certificate Manager service.

   

3. Choose Request a certificate.

   

4. Choose Request a public certificate.

5. Enter your fully qualified domain names and pick a validation method (DNS validation is recommended for automation).

   

6. Choose a key algorithm (for example, RSA 2048), then choose Request.

   

7. In the Certificates list, open the certificate you just requested.

   

8. Open your Route 53 hosted zone for the domain, select the zone, then choose Create record (or use the ACM console shortcuts to create records when offered).

9. To validate a subdomain such as www.example.com, copy the CNAME name and CNAME value from ACM and create a matching CNAME in Route 53.

   Caution: When you enter the CNAME name in Route 53, use only the label ACM shows you; do not append your apex domain twice if the console already shows a fully qualified name.

   

10. To validate the apex domain (for example example.com), add the second CNAME record ACM provides for the apex, again matching name and value exactly.

    Caution: Same as above—avoid duplicating the domain suffix in the record name if Route 53 already treats the value as relative to the zone.

    

11. Your hosted zone should list the new validation records.

    

12. After DNS propagates (often within a few minutes), return to ACM and confirm each domain shows Success under validation status.

    

13. Open EC2 → Load Balancers, select your ALB, open the Listeners and rules tab, then choose Add listener.

    

14. Under Listener configuration:

    1. Protocol: HTTPS
    2. Port: 443
    3. Default action: Forward to your target group
    4. Target group: Select the group that serves your application

    

15. Under Secure listener settings:

    1. Certificate source: From ACM
    2. Certificate: Choose the validated certificate

    

16. Save the listener. Clients can now reach your app over HTTPS on port 443.

Test the secure connection

Verify that browsers trust the certificate and that traffic uses TLS.

1. Open a browser.
2. Visit your site with https:// (for example https://www.example.com).

3. Confirm the connection is secure and the certificate matches your domain (browser padlock / certificate details).

   

Renewal and management

Amazon-issued public certificates in ACM are renewed automatically when DNS validation stays healthy. For quotas, private PKI, and import workflows, see the AWS Certificate Manager User Guide. Use the ACM console to monitor status and plan key-algorithm or domain-name changes.

• Review certificate status periodically in ACM.
• Use Amazon EventBridge or other monitoring if you need alerts beyond the console.

Related in this series