Mumen Tayyem
Blogs

AWS Certificate Manager (ACM): Free SSL for Your CloudFront Site! 🔒

What is AWS Certificate Manager?

AWS Certificate Manager (ACM) is a service that hands you free SSL/TLS certificates and then renews them automatically, forever. It's what puts the little padlock 🔒 next to your domain and turns http:// into the secure https://.

If you've followed my Let's Encrypt guides, you already know the pain of generating and renewing certificates by hand. ACM takes that whole chore off your plate, as long as you're using it with an AWS service like CloudFront. 🎉

Why developers love ACM 💛

  • It's free: Public certificates from ACM cost nothing.
  • Auto-renewal: ACM renews your certificate before it expires, so you'll never get that dreaded "your connection is not private" surprise.
  • Fully managed: No private keys to copy around, no OpenSSL commands to memorize.
  • Tight integration: It plugs straight into CloudFront, Application Load Balancers, and API Gateway.
⚠️ One catch: an ACM certificate can't be exported and used on a raw EC2 or Nginx server. For those you'll still want Let's Encrypt. ACM shines specifically with the AWS services it integrates with.

The one rule you must remember 📍

CloudFront is a global service, and it only reads certificates from a single region: US East (N. Virginia), also known as us-east-1. So before you request your certificate, switch your console region to us-east-1. If your certificate doesn't show up in the CloudFront dropdown later, this is almost always why!

Let's request our free certificate! 🚀

We'll request a certificate, validate it with Route53, and attach it to our CloudFront distribution. Follow along:

  1. Log in to your AWS console and switch the region to US East (N. Virginia) us-east-1.
  2. Navigate to Certificate Manager (ACM) and click Request a certificate.
  3. Choose Request a public certificate and click Next.
  4. Add your domain names. I'll add both mumen.blog and the wildcard *.mumen.blog so every subdomain is covered too.
  5. For the validation method, pick DNS validation (the easy, auto-renewing option) and click Request.
  6. Open the new certificate. Because my domain lives in Route53, AWS shows a handy Create records in Route 53 button. Click it and confirm. This adds the little CNAME records that prove you own the domain.
  7. Wait a few minutes. The status will flip from Pending validation to Issued. 🎉

Attaching the certificate to CloudFront 🌐

  1. Go to CloudFront and open your distribution, then click Edit on the settings.
  2. Under Alternate domain name (CNAME), add mumen.blog (and any subdomain you want to serve).
  3. In the Custom SSL certificate dropdown, select the ACM certificate you just created. (Remember, it only appears here if it lives in us-east-1!)
  4. Save your changes and wait for the distribution to finish deploying.
  5. Finally, in Route53 make sure your domain's A record is an Alias pointing to your CloudFront distribution.

Time to test it! ✨

Open your browser and visit https://yourdomain.com. You should see the padlock icon, and clicking it will show a valid certificate issued by Amazon. No warnings, no manual renewals, no stress. Your visitors (and Google) love a secure site! 🔒🚀

Summary

We explored AWS Certificate Manager, learned why it beats manual certificates for AWS-hosted sites, requested a free certificate, validated it with Route53, and attached it to CloudFront. Just remember the golden rule: certificates for CloudFront must live in us-east-1. Enjoy your free, auto-renewing HTTPS! 🎉