This document provides information about setting up HTTPS that applies to the AWS multi-tier and CloudFormation Kill Bill architectures. HTTPS is based on the use of a verification document called a certificate. For an explanation of certificates see HTTPS and Certificates. A certificate must identify a certificate authority (CA), a trusted site that can show that the bearer of the certificate can be trusted. The multi-tier and CloudFormation architectures can be protected by a certificate created by the AWS Certificate Manager (ACM). There is no extra cost for ACM certificates.

If you own a domain, your domain provider can serve as your CA. If you don’t have a domain, you can purchase one for very low cost from a domain provider such as Godaddy. When you obtain a domain you need to prove your identity, so your domain provider can trust you. To demonstrate this trust you will need a CNAME.

The remainder of this document has three parts:

Step 1: Preliminary concepts

Before you begin, review the following concepts to be sure you understand them.


A CNAME, or Canonical Name, is an identifier for the resources that you are protecting with your certificate. A CNAME record creates an alias for this name. CNAMEs are discussed in HTTPS and Certificates. Further instructions for setting up your required CNAME records are given here.

Protocol and Port Setup

Your AWS security group by default provides rules giving access to Kaui and Kill Bill using the HTTP protocol and a specified port number. For HTTPS you will need modified rules with the new protocol and a new port number.


When you create a new certificate you will need to validate your certificate. This identifies the trust hierarchy for the certificate. You may need to setup a temporary CNAME record for this purpose, and you may need to provide temporary access via an extra port in your security group.

Step 2: Obtaining a Certificate

The AWS Certificate Manager (ACM) offers a straightforward way to provide SSL/TLS protection for AWS resources such as load balancers. This will be explained here.

2.1. Request a Certificate

If you are setting up a new multi-tier or CloudFormation implementation, choose the HTTPS option for your load balancer. You will come to a page that asks for your certificate. click on Request a new Certificate from ACM.

Otherwise, to add HTTPS security to an existing implementation, select Security, Identity, and Compliance, then Certificate Manager from the Services menu. In this case you will need to edit your load balancer(s) later on.

In either case you will be taken to the main page of the ACM. Initially this will probably show that you have no certificates. On the left menu, click Request a Certificate.

The next page will give you the option to request a public or private certificate. The private option may be grayed out. Click Request a Public Certificate. The page that appears will ask you to specify several parameters, including one or more domain names and a validation method.

ELB request certificate

2.2. Set up CNAME records

To validate your certificate, you must first set up a validation CNAME record. The values to use for this record will be seen shortly. You will then create the CNAME record that you will actually use to access the system.

Enter your domain name, using the wildcard format (e.g., \*.mydomain.com ). In the second pane, select DNS Validation. Do not change the other settings. Scroll to the bottom of the page, and click Request. The main ACM page will again appear.

You should see a new certificate in progress with your (wildcard) domain name. It’s status will be Pending Validation. Select the Certificate ID. The display will expand to show the values that you must use to create your validation record.