‹ Return to Overviews

SSL/TLS certificates in Lightsail

tl;dr

Amazon Lightsail uses SSL/TLS certificates to handle encrypted web traffic (HTTPS requests). You can create certificates, verify domain ownership, and then attach the validated certificates to a Lightsail load balancer or distribution.

Last updated: July 23, 2020

You can create Transport Layer Security (TLS) certificates in Amazon Lightsail to enable encrypted web traffic, also known as Hypertext Transfer Protocol Secure (HTTPS), to Lightsail load balancers and distributions. TLS is an updated, more secure version of Secure Socket Layer (SSL). Throughout the Lightsail documentation and console, you'll see us refer to it as SSL/TLS.

Why use HTTPS?

First and foremost is security. HTTPS offers an extra layer of security because it uses TLS to move data. HTTPS encryption is confidential between the web server and the client's browser, because they are the only two entities who can decrypt the traffic. HTTPS connections are also more secure because the data a client exchanges with the server can't be modified by another party.

Aside from security benefits mentioned above, there are other reasons to use HTTPS in addition to HTTP. For example, in 2014 Google began ranking secure websites higher in search results. In other words, a site that uses HTTPS ranks closer to the top of search results compared to a site that only uses HTTP (all other things being equal).

Learn more about HTTPS as a ranking signal

Using SSL/TLS certificates with your Lightsail distribution

HTTPS is required on Lightsail distributions. When you create a distribution, HTTPS is enabled by default for your distribution's default domain (e.g., 123456abcdef.cloudfront.net). If you want to use your registered domain name (e.g., example.com) with your distribution, you must create an SSL/TLS certificate, validate it with your domain name, and enable custom domains on your distribution. Enabling custom domains on your distribution also attaches your domain's validated certificate to your distribution.

Only one certificate can be in use at a time per distribution. If you disable custom domains on your distribution, your distribution is no longer able to handle HTTPS traffic until you enable custom domains again.

Important

The domain names that you specify when creating an SSL/TLS certificate for your distribution cannot exist in another SSL/TLS certificate across all Amazon Web Services (AWS) accounts, including certificates issued by AWS Certificate Manager.

You can get started with enabling custom domains and HTTPS on your distribution by following these links.

For more information about distributions, see Content delivery network distributions in Amazon Lightsail.

Using SSL/TLS certificates with your Lightsail load balancer

When you create a Lightsail load balancer, port 80 is open by default to handling regular HTTP traffic. To enable HTTPS traffic over port 443, you must create an SSL/TLS certificate, validate it with your domain name, and attach it to your load balancer.

You can create up to two SSL/TLS certificates per load balancer. Only one certificate can be in use at a time per load balancer. If you delete a valid, in-use certificate from your load balancer, your load balancer is no longer be able to handle HTTPS traffic until you attach another valid certificate.

To enable HTTPS on your load balancer, you must follow these steps in order.

HTTPS process overview

You can get started with enabling HTTPS on your load balancer by following these links.

For more information about load balancers, see Lightsail load balancers.