Get Free Wildcard SSL/TLS Certificates with AWS Certificate Manager

Feb 19, 2016

A little less than a month ago, Amazon unveiled a brand new service that could potentially change the way we secure our websites / web apps / API endpoints forever.

It's called ACM, short for AWS Certificate Manager, and it lets you painlessly provision HTTPS certificates for your domains, absolutely free of charge!

Did I mention that it automatically handles certificate renewal for you?

That's right, no more upset clients complaining when you forget to renew a certificate. Say goodbye to the yearly headache that involves purchasing, activating, and deploying a new certificate.

Best of all, ACM also supports provisioning wildcard TLS certificates! I couldn't be happier.

ACM Drawbacks

Now, before you get too excited, there are a few drawbacks to this service as of today:

  1. You can only use ACM certificates on your Elastic Load Balancers or CloudFront distributions.
  2. The certificate private key is not exposed, so you can't set up a raw EC2 web server without an ELB to handle the TLS connection for it.
  3. The service is only available in the US East (N. Virginia) region as of today.

However, these drawbacks are pretty insignificant, and definitely won't keep me from using this great service, at least for some of my HTTPS endpoints.

Getting Started

Setting up one of your hostnames to encrypt HTTPS traffic using an ACM certificate is quick and easy, unlike the traditional buy-ssl-generate-csr-upload-verify-domain-download-certificate-convert-pem-play-with-ca-chain-order-until-finally-works process we all secretly loathe so much.


  1. Go to the ACM Console.
  2. Enter your desired domain (and subdomains) to include in the TLS certificate.
  3. Verify ownership of the domain manually (ACM will perform a whois lookup for the domain's administrative contact information and send a verification e-mail to the listed address).
  4. That's it! Now, all you need to do to use the certificate is to select it for your ELB's HTTPS listener or CloudFront distribution.

I hope you make use of ACM to save yourself some hard-earned cash, especially if you require a wildcard TLS certificate, which would otherwise cost you as much as $100 if it wasn't for ACM.