Elastic Load Balancing
Developer Guide

SSL Certificates for Elastic Load Balancing

If you use HTTPS or SSL for your front-end listener, you must deploy an SSL/TLS certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances.

The SSL protocol uses an X.509 certificate (SSL server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of identification issued by a certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.

You can create a certificate using AWS Certificate Manager or a tool that supports the SSL and TLS protocols, such as OpenSSL. You will specify this certificate when you create or update an HTTPS listener for your load balancer.

Creating an SSL Certificate Using AWS Certificate Manager

You can use AWS Certificate Manager (ACM) to request and manage certificates. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. To deploy a certificate on your load balancer, the certificate must be in the same region as the load balancer.

To allow an IAM user to deploy the certificate on your load balancer using the AWS Management Console, you must grant access to the ListCertificates API action. For more information, see Listing Certificates in the AWS Certificate Manager User Guide.

For more information, see Request a Certificate in the AWS Certificate Manager User Guide.

Creating an SSL Certificate Using SSL/TLS Tools

Before you can deploy a certificate on your load balancer, you must create the certificate, get the certificate signed by a CA, and then upload the certificate using the AWS Identity and Access Management (IAM) service, which manages SSL certificates that are not created using AWS Certificate Manager. By default, IAM allows 20 certificates per AWS account. For more information about this limit and how to request an increase, see Limitations on IAM Entities in IAM User Guide.

Prerequisite: Install Certificate Tools

Creating a server certificate requires a tool that supports the SSL and TLS protocols.


OpenSSL is an open-source tool that provides extensive cryptographic functions. To check whether this tool is already installed, run openssl version. If OpenSSL is not installed, you must install it. For more information, see the documentation for your Linux distribution.


There are several tools that you can use, such as IIS Manager, SelfSSL, OpenSSL, Windows PowerShell cmdlets. If you don't have one of these tools already, select a tool and install it.

Step 1: Create a Server Certificate

To create an SSL server certificate, you must generate an RSA private key and create a Certificate Signing Request (CSR). Next, either have your certificate signed by a Certificate Authority (CA), or generate a self-signed certificate so that you can test your SSL implementation while waiting for the CA to sign your certificate. Follow the directions for the tool that you are using. In this example, we provide directions for OpenSSL, and pointers to directions for IIS Manager.

To create a server certificate using OpenSSL

  1. Create a private key and save it in a secure place, as there is no way to get your private key if you lose it.

    Private keys are created using standard key algorithms. Choose the algorithm based on the ciphers that you plan to use when negotiating SSL connections from the client to your load balancer.

    RSA-based Ciphers

    Use the following genrsa command. Note that AWS supports RSA keys that are 1024, 2048, and 4096 bits. However, we recommend that you specify 2048 bits.

    openssl genrsa -out my-private-key.pem 2048

    ECDHE-ECDSA-based Ciphers

    Use the following ecparam command:

    openssl ecparam -name prime256v1 -out my-private-key.pem -genkey
  2. Create a CSR using the following req command:

    openssl req -sha256 -new -key my-private-key.pem -out csr.pem

    The command runs interactively, prompting you to enter the following information:

    Country Name

    The two-letter ISO code for your country. For example, US.

    State or Province Name

    The full name of the state or province where your organization is located. Do not use an abbreviation.

    Locality Name

    The name of the city where your organization is located.

    Organization Name

    The full legal name of your organization.

    Organizational Unit Name

    (Optional) Additional information, such as a product name or division.

    Common Name

    The fully-qualified domain name for your CNAME. This name must be an exact match. For example,,, or *

    Email Address

    The server administrator's email address.

  3. You can either apply to have your certificate signed by a CA, or generate a self-signed certificate to use for testing purposes.

    • To apply for a server certificate, send your CSR to an CA. Your CSR contains information that identifies you. The CA might require other credentials or proof of identity. Upon success, the CA returns a public (identity) certificate and possibly a chain certificate that is digitally signed. AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.

    • To create a self-signed certificate, use the following command:

      openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem

To create a server certificate using IIS Manager

For information about using IIS Manager to create a certificate, see Request an Internet Server Certificate or Create a Self-Signed Server Certificate in the Microsoft TechNet Library.

Step 2: Upload the Certificate

Typically the certificate authority (CA) sends you a public certificate, one or more intermediate certificates, and a root certificate. The intermediate certificates and the root certificate can come bundled in a file or as separate files. The file names may vary depending on the type of SSL certificate you purchase and the certificate authority. Your public certificate is the domain-specific file.


  • The private key must be created using the algorithm based on the ciphers you plan to use for negotiating SSL connections and must be in PEM format.

    RSA-based Ciphers

    Use the following command to convert a private key generated for RSA based ciphers:

    openssl rsa -in my-private-key -outform PEM

    ECDHE-ECDSA-based Ciphers

    Use the following command to convert a private key generated for ECDHE-ECDSA based ciphers:

    openssl ec -in my-private-key -outform PEM


    When you specify an ECDHE-ECDSA private key for a certificate that you will upload to IAM, you must delete the lines containing "-----BEGIN EC PARAMETERS-----" and "-----END EC PARAMETERS-----", and the line in between these lines.

  • The private key cannot be encrypted with a password.

  • When you receive your server certificate from the CA, the files might not be in the PEM format that is required by IAM. For more information about the PEM format, see pem DESCRIPTION.

    • Use the following command to convert the server certificate you received from the CA:

      openssl x509 -inform PEM -in my-certificate
    • Use the following command to convert your certificate chain:

      openssl x509 -inform PEM -in my-certificate-chain
  • The current date must be between the certificate's start and end dates.

  • The public and private certificate files must contain a single certificate.

  • The private key must match the public key in the certificate.

  • The certificate chain must include all of your CA's intermediary certificates that lead to the root certificate, and can optionally end with your CA's root certificate. Typically, both intermediate and root certificates are provided by the CA in a bundled file with the proper chained order. The order of intermediate certificates should be documented by the CA. Although the root certificate is optional, you can include it so that you can run a full chain of trust verification, such as SSL Checker.

    If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file using the intermediary certificates, as shown in Example RSA Private Key.

Uploading the Server Certificate

After you have your certificate files in PEM format, use the following upload-server-certificate command to upload them:

aws iam upload-server-certificate --server-certificate-name my-server-certificate 
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem 
--certificate-chain file://my-certificate-chain.pem

Note that if you are uploading a self-signed certificate, you do not need to specify a certificate chain.

When you upload your certificates, IAM validates them. If you get an error, ensure that your files meet the prerequisites and then try uploading them again.

The following are examples of the server certificates, private keys, and certificate chains accepted by IAM.

Example Server Certificate

The server certificate associates your public key with your identity. When you submit your CSR to a certificate authority (CA), the CA returns a server certificate.


Example RSA Private Key

The private key enables you to decrypt messages that are encrypted with your public key.


Example Certificate Chain

The certificate chain enables a browser to build a certificate chain to a root certificate that it trusts. As a result, the browser can implicitly trust your certificate.

The certificate chain includes the intermediate certificates and optionally the root certificate, one after the other without any blank lines, as shown in the following example. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Do not include any intermediaries that are not in the chain of trust path.

Intermediate certificate 2
Intermediate certificate 1
Optional: Root certificate

Step 3: Verify the Server Certificate

After the server certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and ID.

Use the following get-server-certificate command to verify the certificate object:

aws iam get-server-certificate --server-certificate-name my-server-certificate

The following is an example response. The first line is the ARN of the server certificate and the second line is the ID.