First, combine all necessary certificates into a single PEM file:

cat mydomain.com.crt gd_bundle.crt > combined.crt

Verify the certificate chain structure using OpenSSL:

openssl x509 -in combined.crt -text -noout
openssl rsa -in mydomain.key -check

You have two approaches for SSL on ELB:

Option 1: Using AWS Certificate Manager (Recommended)

aws acm import-certificate --certificate file://combined.crt \
--private-key file://mydomain.key \
--certificate-chain file://gd_bundle.crt \
--region us-east-1

Option 2: Direct ELB Configuration

For classic ELB through AWS Console:

1. Navigate to EC2 → Load Balancers
2. Select your ELB and go to Listeners tab
3. Click "Edit" for HTTPS listener
4. Upload the combined.crt as Public Key
5. Upload mydomain.key as Private Key
6. Select the appropriate security policy

Certificate chain errors: Ensure the intermediate certificates are in correct order. The server certificate should come first, followed by intermediates.

Private key mismatch: Verify your key matches the certificate:

openssl x509 -noout -modulus -in combined.crt | openssl md5
openssl rsa -noout -modulus -in mydomain.key | openssl md5

Wildcard limitations: Remember wildcards only cover one level of subdomains (*.example.com won't cover test.sub.example.com).

For programmatic setups, use this bash script:

#!/bin/bash
CERT_NAME="MyGoDaddyWildcardCert"
REGION="us-west-2"

aws acm import-certificate --certificate file://combined.crt \
--private-key file://mydomain.key \
--certificate-chain file://gd_bundle.crt \
--tags Key=Name,Value=$CERT_NAME \
--region $REGION

ELB_ARN=$(aws elbv2 describe-load-balancers --names my-elb --query 'LoadBalancers[0].LoadBalancerArn' --output text --region $REGION)

aws elbv2 create-listener --load-balancer-arn $ELB_ARN \
--protocol HTTPS --port 443 \
--certificates CertificateArn=$(aws acm list-certificates --query "CertificateSummaryList[?DomainName=='*.example.com'].CertificateArn" --output text --region $REGION) \
--default-actions Type=forward,TargetGroupArn=my-target-group-arn \
--region $REGION

• Rotate certificates before expiration (set CloudWatch alerts)
• Use AWS Certificate Manager for automatic renewal
• Apply appropriate security policies (recommend: ELBSecurityPolicy-TLS13-1-2-2021-06)
• Enable HSTS headers for additional security

For ALB/NLB configurations, the process is similar but uses different AWS APIs. Always verify your setup using the AWS CLI describe-listener-certificates command after configuration.

When working with GoDaddy wildcard certificates for AWS ELB, you'll receive these key files:

# Certificate files from GoDaddy
- gd_bundle.crt (intermediate certificates)
- yourdomain.com.crt (server certificate)
- yourdomain.key (private key you generated)

First, combine the certificate files into the correct format AWS expects:

# Combine certificate files in this exact order
cat yourdomain.com.crt gd_bundle.crt > combined.crt

The combined.crt will contain:

1. Your domain certificate
2. Intermediate certificates (in proper chain order)

Now use the AWS CLI to upload the certificate:

aws iam upload-server-certificate \
  --server-certificate-name "YOUR_CERT_NAME" \
  --certificate-body file://combined.crt \
  --private-key file://yourdomain.key \
  --path /cloudfront/elb/

Before applying, verify the certificate chain is correct:

openssl verify -CAfile gd_bundle.crt yourdomain.com.crt

Expected output should show "OK" if the chain is valid.

In the AWS Console:

1. Navigate to EC2 > Load Balancers
2. Select your load balancer
3. Under Listeners tab, click "Edit"
4. Select HTTPS and choose your uploaded certificate

Issue: "Invalid Certificate Chain" error
Solution: Ensure your combined.crt has certificates in this exact order:

-----BEGIN CERTIFICATE-----
(Your primary certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(First intermediate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Second intermediate if present)
-----END CERTIFICATE-----