How to Use Free AWS Certificate Manager SSL/TLS Certificates on Plain EC2 Without ELB or Beanstalk


2 views

When AWS Certificate Manager (ACM) was first introduced, there was a significant restriction - certificates could only be deployed to specific AWS services like Elastic Load Balancer (ELB), CloudFront, or Elastic Beanstalk environments with ELB. This meant developers couldn't directly use these free certificates on plain EC2 instances.

As of my latest testing (2023), the fundamental limitation still exists:


+---------------------+---------------------------+
| AWS Service         | ACM Certificate Support   |
+---------------------+---------------------------+
| ELB (ALB/NLB)       | Yes                       |
| CloudFront          | Yes                       |
| API Gateway         | Yes                       |
| EC2 (direct)        | No                        |
| Lightsail           | No                        |
+---------------------+---------------------------+

For those needing SSL/TLS on EC2 without ELB, here are your options:

Option 1: Use Let's Encrypt with Certbot


# Install Certbot on Amazon Linux 2
sudo yum install -y certbot python3-certbot-nginx

# Obtain certificate
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal setup
echo "0 0,12 * * * root python3 -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" | sudo tee -a /etc/crontab > /dev/null

Option 2: ACM Certificate Export Workaround (Advanced)

While AWS doesn't officially support this, there's a technical workaround using Lambda and S3:


// Lambda function to copy certs to S3 (Python 3.8)
import boto3
import os

def lambda_handler(event, context):
    acm = boto3.client('acm')
    s3 = boto3.client('s3')
    
    cert_arn = os.environ['CERT_ARN']
    bucket_name = os.environ['BUCKET_NAME']
    
    cert = acm.export_certificate(
        CertificateArn=cert_arn,
        Passphrase='YourSecurePassphrase'
    )
    
    # Upload cert components to S3
    s3.put_object(
        Bucket=bucket_name,
        Key='certificate.pem',
        Body=cert['Certificate']
    )
    
    s3.put_object(
        Bucket=bucket_name,
        Key='private.key',
        Body=cert['PrivateKey']
    )
    
    s3.put_object(
        Bucket=bucket_name,
        Key='certchain.pem',
        Body=cert['CertificateChain']
    )
    
    return {
        'statusCode': 200,
        'body': 'Certificate exported successfully'
    }

For mission-critical applications, I recommend:

  • Use ELB with ACM for automatic certificate renewal
  • Implement proper security groups restricting HTTPS traffic
  • Monitor certificate expiration through CloudWatch
  • Consider using AWS WAF with your load balancer for additional protection

According to AWS documentation, they plan to expand ACM support. Key areas to monitor:

  • Direct EC2 instance support
  • More domain validation options
  • Extended certificate types (wildcard subdomains)
  • Integration with more AWS services

AWS Certificate Manager (ACM) provides free SSL/TLS certificates, but there's significant confusion about where these certificates can be deployed. The official documentation primarily mentions integration with:

  • Elastic Load Balancers (ELB)
  • Amazon CloudFront distributions
  • Elastic Beanstalk environments

The fundamental limitation is that ACM doesn't provide a way to export private keys. This means:

// You CANNOT get the private key via AWS CLI
aws acm export-certificate --certificate-arn your-arn
// This command will fail with "ExportCertificate is not supported"

While you can't directly use ACM certificates on EC2, here are practical alternatives:

Option 1: Use Let's Encrypt with Certbot

For plain EC2 instances, Let's Encrypt remains the best free alternative:

sudo apt-get update
sudo apt-get install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com

Option 2: Create a Reverse Proxy Setup

You can place an Application Load Balancer (ALB) in front of your EC2 instance:

# Sample Terraform configuration for ALB with ACM
resource "aws_lb" "example" {
  name               = "example-alb"
  load_balancer_type = "application"
  security_groups    = [aws_security_group.alb.id]
  subnets            = aws_subnet.public.*.id
}

resource "aws_lb_listener" "https" {
  load_balancer_arn = aws_lb.example.arn
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2016-08"
  certificate_arn   = aws_acm_certificate.example.arn
}

When implementing SSL/TLS on EC2:

  • Always keep private keys secure (chmod 400)
  • Set up automatic certificate renewal
  • Use strong cipher suites (avoid SSLv3, TLS 1.0)

AWS might eventually support:

  • Private key export functionality
  • Direct EC2 integration
  • More flexible certificate management

Until then, the solutions above provide viable paths to secure your EC2 instances with trusted certificates.