How to Import SSL certificate in AWS Certificate Manager and apply on ELB

In this post we will show you how to apply an SSL certificate on an AWS ELB.

Image source


To use the certificate in ELB first we will have to import it in AWS Certificate Manager(ACM).

Currently ACM needs PEM files namely Certificate Body, Certificate Private Key and  Certificate Chain. You can check ACM SSL certificate pre-requisites here.


If you have the SSL certificate in .pem formats you can directly go to Step 7. Else if you have certifcate in .pfx or other format please follow from Step 1.

Step 1  As mentioned earlier ACM expects the certificates in PEM format. So we will first convert the certificates from pfx to pem format using openssl tool.

Step 2  Download the openssl binaries for windows of Linux from the links on openssl site.

Step 3 Once downloaded, install it. In our case we have installed the exe on windows.

Step 4 Go to the location where the OpenSSL is installed. In the bin folder you will find the openssl.exe . We will use this exe for conversion as per below commands. (You may need the import password you used while generation of SSL certificate)

Execute below command in windows command prompt(CMD) as an administrator.

C:\OpenSSL-Win64\bin>openssl pkcs12 -in "C:\OpenSSL-Win64\bin\" -nodes -out "C:\OpenSSL-Win64\bin\test\"

Enter Import Password:

Step 5 In the above command with “-in” you provide location where your .pfx certificate is kept. In “-out” you define the destination where the newly created .pem file should be kept. You can create a pem file from other certificate formats like .cer, .der, .p7b etc. also using openssl. Just explore its help options and execute command as we have done above.

Step 6 Once the .pem file is created you can open it with notepad. It will have multiple certificates and a key in it.


Step 7 Now go to AWS ACM console and click on Import a certificate.

Step 8 In the  Certificate body enter the complete certificate with all digits as below. In it’s description it will have something like friendlyName.




Step 9 Similarly enter the private key contents as below.




Step 10 Similarly enter the Certificate Chain .




Step 11 Finally review and save the certificate.

Step 12 Now go to Route 53 > Hosted Zone and create a record set. Check this link if you want to create a new Hosted Zone.

Step 13 Once inside the hosted zone create a record set where you will basically map your friendly URL name ( to the load balancer with a CNAME. (refer image below)

Step 14 Now go to Load Balancer section and click on your ELB.

Step 15 Go to listeners tab and click on Edit.  Click “Add” and in the Load Balancer protocol select HTTPS. In the same window click “Change” option below SSL certificate.

Step 16 In the new window select Choose an existing certificate from AWS Certificate Manager (ACM), and then select the certificate that you created, from Certificate list. Finally click on Save.

Congrats! You have now applied a new SSL certificate to the load balancer. Do let us know in comments section if you have any query.

Leave a Reply