The Regional Rule and the us-east-1 Requirement

AWS Certificate Manager (ACM) is regional, so a load balancer can only reference an SSL Certificate imported into its own region, while CloudFront only reads from US East (N. Virginia) regardless of where the origin runs. Serving both a load balancer outside us-east-1 and a CloudFront distribution therefore means importing the same SSL Certificate twice, which is normal practice rather than a workaround.

The Three Paste Fields in AWS Certificate Manager (ACM)

Certificate body takes the issued SSL Certificate alone, Certificate private key takes the Private Key, and Certificate chain takes the full ca-bundle of Intermediate Certificates. Completing the third field is what spares mobile devices and strict clients from chain warnings later.

Private Key Retention After Import

AWS Certificate Manager (ACM) stores the Private Key encrypted and never exposes it again after import. Retain your own copy independently.

Attaching the SSL Certificate to an Application Load Balancer

On the Listeners tab of the load balancer, edit the HTTPS listener on port 443, choose From ACM in the default SSL Certificate selection, and pick the imported entry. New connections receive the SSL Certificate immediately, with the load balancer terminating Transport Layer Security (TLS) at the edge and forwarding traffic to the targets.

Assigning the SSL Certificate to a CloudFront Distribution

Add the hostname under Alternate domain names, since CloudFront only presents a custom SSL Certificate for explicitly listed names, then select the entry in the Custom SSL Certificate dropdown. An imported SSL Certificate does not appear in the dropdown when it sits in any region other than us-east-1, so the region is the first thing to check when the dropdown looks empty, and distribution changes deploy across edge locations over several minutes.

Import Rejections over Key Mismatch and Formatting

A key mismatch rejection means the Private Key does not pair with the SSL Certificate, usually because the Certificate Signing Request (CSR) was regenerated after submission, and a reissue against the current Certificate Signing Request (CSR) resolves it. A formatting rejection means the pasted material is not clean PEM text, so confirm each block carries its begin and end markers with no surrounding whitespace or Windows line ending artifacts.

Installing an SSL Certificate on AWS for Load Balancers and CloudFront

June 13, 2026 Daniel Martinez

Amazon Web Services (AWS) centralizes SSL Certificate handling in one service, and everything downstream becomes simple once your SSL Certificate lives there. AWS Certificate Manager (ACM) holds the imported SSL Certificate, while load balancers and CloudFront distributions simply reference it.

The detail that catches almost everyone is region placement, and this guide covers it alongside the import and both attachment paths.

Prerequisites and Required Files

You need AWS console access with permission to manage ACM and the target load balancer or distribution. You also need your issued SSL Certificate, the ca-bundle of Intermediate Certificates from the Certificate Authority (CA), and your Private Key, all in PEM format.

The first two are available in the tracking system, while the Private Key exists only where your Certificate Signing Request (CSR) was generated. View Our Tracking & SSL Management 🔗

Choosing the Correct Region

ACM is regional, and the SSL Certificate must be imported where it will be used. A load balancer can only reference an SSL Certificate imported into its own region, while CloudFront only reads from US East (N. Virginia), the us-east-1 region, regardless of where your origin runs.

Serving both a load balancer outside us-east-1 and a CloudFront distribution therefore means importing the same SSL Certificate twice, once into each region. This is normal practice rather than a workaround.

Importing into AWS Certificate Manager

Open ACM in the chosen region and start a new import. Three fields take your material directly as pasted PEM text.

Certificate body takes the issued SSL Certificate alone. Certificate private key takes the Private Key. Certificate chain takes the full ca-bundle, and completing this third field is what spares mobile devices and strict clients from chain warnings later. Learn About Intermediate Certificates 🔗

Confirm the import, and the SSL Certificate appears in the ACM list showing its covered domains and expiry. ACM stores the Private Key encrypted and never exposes it again, so retain your own copy independently.

Attaching to an Application Load Balancer

Open the EC2 console, select Load Balancers, and choose your load balancer. On the Listeners tab, edit the HTTPS listener on port 443, or add one if the load balancer currently terminates only HTTP.

In the default SSL Certificate selection, choose From ACM and pick the imported entry, then save. New connections receive the SSL Certificate immediately. The load balancer terminates Transport Layer Security (TLS) at the edge and forwards traffic to your targets, an architecture worth understanding when deciding what the targets themselves should serve. Learn About SSL Offloading 🔗

Assigning to a CloudFront Distribution

With the SSL Certificate imported into us-east-1, open your CloudFront distribution and edit the General settings. Add your hostname under Alternate domain names, since CloudFront only presents a custom SSL Certificate for explicitly listed names, then select the ACM entry in the Custom SSL Certificate dropdown and save.

Distribution changes deploy across edge locations over several minutes, so allow the deployment to complete before testing.

Important : An imported SSL Certificate does not appear in the CloudFront dropdown when it sits in any region other than us-east-1. If the dropdown looks empty despite a successful import, the region is the first thing to check.

With the listener or distribution updated, the result is ready to confirm.

Verifying the Installation

Browse to the hostname and confirm the SSL Certificate details, then run an external scan to confirm the full chain reaches fresh clients, which validates that the chain field was completed at import. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗

Troubleshooting Common Installation Problems

An import rejected over a key mismatch means the Private Key does not pair with the SSL Certificate, usually because the CSR was regenerated after submission. A reissue against the current CSR resolves it. Learn About Reissuing Your SSL Certificate 🔗

An import rejected over formatting means the pasted material is not clean PEM text. Confirm each block carries its begin and end markers with no surrounding whitespace or Windows line ending artifacts.

Chain warnings after a successful attachment mean the chain field was left empty at import. Reimport with the ca-bundle included and repoint the listener or distribution at the new entry.

Professional Installation Assistance

AWS environments often combine load balancers, distributions, and multiple regions, and placing each SSL Certificate correctly takes some platform familiarity.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom

Item Added to Cart