# Enable HTTPS with an SSL/TLS certificate for your Lightsail load balancer
After you create a Lightsail load balancer, you can attach a Transport Layer Security (TLS) certificate to enable HTTPS. The SSL/TLS certificate lets your load balancer handle encrypted web traffic so that you can provide a more secure experience for your users. To learn more, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md).
## Prerequisites
Before you get started, you will need the following.
+ A Lightsail load balancer. To learn more, see [Create a load balancer](create-lightsail-load-balancer-and-attach-lightsail-instances.md).
## Create the certificate request
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. In the left navigation pane, choose **Networking**.
1. Choose the name of the load balancer for which you want to configure an SSL/TLS certificate.
1. Choose the **Custom domains** tab.
1. Choose **Create certificate**.
1. Enter a name for your certificate or accept the default.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. Enter your primary domain (`www.example.com`), and up to 9 alternate domains or subdomains.
For more information, see [Add alternate domains and subdomains to your SSL/TLS certificate](add-alternate-domain-names-to-tls-ssl-certificate-https.md)
1. Choose **Create certificate**.
Lightsail begins the validation process. You have 72 hours to verify that you own your domain.
After you create your certificate, you see the certificate along with the domain name and all your alternate domains and subdomains. You need to create a DNS record for each domain and subdomain.
## Next step
+ [Verify that you own your domain](verify-tls-ssl-certificate-using-dns-cname-https.md)
**Topics**
+ [Prerequisites](#create-ssl-tls-certificate-prerequisites)
+ [Create the certificate request](#create-ssl-tls-certificate)
+ [Next step](#create-ssl-tls-certificate-next-steps)
+ [Add alternate domains](add-alternate-domain-names-to-tls-ssl-certificate-https.md)
+ [Verify SSL/TLS certificates](verify-tls-ssl-certificate-using-dns-cname-https.md)
+ [Attach certificate to load balancer](attach-validated-certificate-to-load-balancer.md)
+ [Remove SSL/TLS certificate](delete-tls-ssl-certificate-lightsail-load-balancer-https.md)
# Add alternate domains and subdomains to your Lightsail SSL/TLS certificate
When you create your SSL/TLS certificate for your Lightsail load balancer, you can add alternate domains and subdomains to it. These alternate names help ensure that all traffic to your load balancer is encrypted.
When you specify a primary domain, you can use a fully qualified domain name such as `www.example.com` or an apex domain name such as `example.com`.
The total number of domains and subdomains must not exceed 10, so you can add up to 9 alternate domains and subdomains to your certificate. You might want to add entries similar to the following list.
+ example.com
+ example.net
+ blog.example.com
+ myexamples.com
## To create a certificate with alternate domains and subdomains
1. If you don't have one yet, [Create a load balancer](create-lightsail-load-balancer-and-attach-lightsail-instances.md).
1. In the left navigation pane, choose **Networking**.
1. Choose your Lightsail load balancer.
1. Choose the **Custom domains** tab.
1. Choose **Create certificate**.
1. Enter a name for your certificate or accept the default name.
Resource names:
+ Must be unique within each AWS Region in your Lightsail account.
+ Must contain 2 to 255 characters.
+ Must start and end with an alphanumeric character or number.
+ Can include alphanumeric characters, numbers, periods, dashes, and underscores.
1. Enter your primary domain (`www.example.com`), and up to 9 alternate domains or subdomains.
1. Choose **Create certificate**.
Once created, you have 72 hours to verify that you own your domain.
## Next steps
+ [Verify domain ownership using DNS](verify-tls-ssl-certificate-using-dns-cname-https.md)
Once verified, you can select your validated certificate to associate it with your Lightsail load balancer.
+ [Enable session persistence](update-settings-for-lightsail-load-balancer-health-check-path-https-session-stickiness-persistence-cookie-duration.md)
# Verify SSL/TLS certificate domains with CNAME records in Lightsail
After you create an SSL/TLS certificate in Lightsail, you need to verify that you control all the domains and subdomains that you added to the certificate.
**Contents**
+ [Step 1: Create a Lightsail DNS zone for your domain](#verify-ssl-tls-create-dns-zone)
+ [Step 2: Add records to your domain's DNS zone](#verify-ssl-tls-create-dns-records)
+ [Next step](#verify-ssl-tls-next-step)
## Step 1: Create a Lightsail DNS zone for your domain
If you haven't done so already, create a Lightsail DNS zone for your domain. For more information, see [Create a DNS zone to manage your domain’s DNS records](lightsail-how-to-create-dns-entry.md)
## Step 2: Add records to your domain's DNS zone
The certificate that you created provides a set of canonical name (CNAME) records. You add these records to your domain's DNS zone to verify that you own or control that domain.
**Important**
Lightsail will attempt to automatically verify that you control the domains or subdomains you specified while creating the certificate. After you select **Create certificate**, the CNAME records will be added to your domain's DNS zone. The certificate's status will change from **Attempting to validate your certificate**, to **Valid, in use** if automatic validation is successful.
Proceed to the following steps if automatic validation fails.
In the following steps, we will show you how to get the CNAME records and add them to your domain's DNS zone in the Lightsail console.
1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/).
1. On the Lightsail home page, choose your user or role on the top navigation menu.
1. Choose **Account** in the dropdown menu.
![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png)
1. Choose the **Certificates** tab.
1. Find the certificate that you want to verify, and make note of the **Name** and **Value** of the CNAME records that you must add for each domain
Press **Ctrl\$1C** if you’re using Windows, or **Cmd\$1C** if you’re using Mac, to copy them to your clipboard.
![\[Certificate pending validation with domains and subdomains.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example.certificate-validation-with-subdomains.png)
1. Open a text editor, such as Notepad if you're using Windows, or TextEdit if you're using Mac. In the text file, press **Ctrl\$1V** if you’re using Windows, or **Cmd\$1V** if you’re using Mac, to paste the values into the text file.
Leave this text file open; you will need these CNAME values when adding the records to your domain's DNS zone later in this guide.
![\[Text file with certificate CNAME records.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ssl-tls-cname-records-text-file.png)
1. Choose **Home** on the top navigation bar of the Lightsail console.
1. Choose **Domains & DNS** on the Lightsail home page.
1. Choose the DNS zone for the domain that will use the certificate.
1. Choose **Add record** in the **DNS records** tab.
1. Choose **CNAME** for the record type.
1. Toggle to the text file that contains the CNAME records for your certificates.
Copy the **Name** of the CNAME record. For example, `_1bfb0b9ef15a50f9041e559d2c67b760`.
1. Toggle to the DNS records page and paste the **Name** into the **Record name** field.
**Important**
Adding a CNAME record that contains the domain name (such as `.example.com`) will result in duplication of the domain name (such as `.example.com.example.com`). To avoid duplication, edit the entry so that only the part of the CNAME that you need is added. This would be `_1bfb0b9ef15a50f9041e559d2c67b760`.
1. Copy the **Value** of the CNAME record. For example, `_c9a0c385eda13283350e35f297469a13.hkvuiqjoua.acm-validations.aws.`.
1. Toggle to the DNS records page and paste the **Value** into the **Route traffic to** field.
1. Choose **Save** to add the record.
1. If you have alternate subdomains, choose **Add record** to add another record.
**Note**
To learn more about alternate domains or subdomains, see [Add alternate domains and subdomains to your SSL/TLS certificate in Amazon Lightsail](add-alternate-domain-names-to-tls-ssl-certificate-https.md).
1. Repeat steps 11 - 17 to add the CNAME record(s) for the alternate subdomains.
You can also [add an alias (A) record to point to your load balancer](add-alias-record-for-lightsail-load-balancer.md), or other Lightsail resources while you're on the DNS zone management page.
When finished, your DNS zone should look like the following screenshot.
![\[CNAMES in Lightsail ready to be submitted for validation.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/dns-validation-cname-with-alternate-names.png)
After some time, your domain is verified and you will see the following message on the certificate.
![\[Successful validation of domain.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example-com-verified-and-ready-to-use.png)
## Next step
Once your domain is verified, you are ready to [Attach a validated SSL/TLS certificate to your load balancer](attach-validated-certificate-to-load-balancer.md).
# Attach a validated SSL/TLS certificate to your Lightsail load balancer
After you verify that you control your domain, the certificate's status will change to **Valid**.
![\[Successful validation of domain\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example-com-verified-and-ready-to-use.png)
Your next step is to attach the certificate to your Lightsail load balancer.
1. From the Lightsail home page, choose **Networking**.
1. Choose your load balancer.
1. Choose the **Custom domains** tab.
1. In the **Certificates** section, choose **Attach certificate**.
1. Select a certificate from the dropdown list.
1. Choose **Attach**, to attach the certificate.
# Remove SSL/TLS certificates from a Lightsail load balancer
You can delete an SSL/TLS certificate that you're no longer using. For example, your certificate might be expired and you've already attached an updated certificate that's validated. If you want to duplicate your certificate before deleting it, you can choose **Duplicate** from the same shortcut menu in step 5, below.
**Important**
If the certificate you're deleting is valid and in use, your load balancer will no longer be able to handle encrypted (HTTPS) traffic. Your Lightsail load balancer will still support unencrypted (HTTP) traffic.
Deleting an SSL/TLS certificate is final and can't be undone. You have a quota of certificates you can create over a 365-day period. For more information, see [Quotas](http://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html) in the AWS Certificate Manager User Guide.
1. In the left navigation pane, choose **Networking**.
1. Choose the load balancer where your SSL/TLS certificate is attached.
1. Choose the **Inbound traffic** tab on your load balancer's management page.
1. In the **Certificates** section of the page, choose the ellipsis icon (⋮) for the certificate that you want to delete, and choose **Delete**.
The **Delete** option is unavailable if the certificate you want to delete is in use. To delete certificates that are in use, you need to first change the certificate of the load balancer that is using the certificate, or disable HTTPS on the load balancer that is using the certificate.