# SSL/TLS certificates in Lightsail SSL/TLS Certificates Amazon Lightsail uses SSL/TLS certificates to validate custom (registered) domains that you can use with Lightsail load balancers, content delivery network (CDN) distributions, and container services. After a validated certificate is attached to one of those Lightsail resources, the traffic that is routed to that resource through the domain is encrypted using Hypertext Transfer Protocol Secure (HTTPS). You can create Transport Layer Security (TLS) certificates in Amazon Lightsail to enable encrypted web traffic for custom (registered) domains that you want to use with your Lightsail load balancers content delivery network distributions, and container services. TLS is an updated, more secure version of Secure Socket Layer (SSL). Throughout the Lightsail documentation and console, you will see us refer to it as **SSL/TLS**. **Important** The Lightsail certificates that you can attach to load balancers, CDN distributions, and container services are issued by the AWS Certificate Manager (ACM) service. Starting October 11, 2022, any public certificate obtained through Lightsail for your load balancers, CDN distributions, and container services will be issued from one of the multiple intermediate certificate authorities (ICAs) or subordinate CAs that ACM manages. For more information, see [Amazon introduces dynamic intermediate certificate authorities](https://aws.amazon.com/blogs/security/amazon-introduces-dynamic-intermediate-certificate-authorities/) in the *AWS Security Blog*. ## Why use HTTPS? First and foremost is security. HTTPS offers an extra layer of security because it uses TLS to move data. HTTPS encryption is confidential between the web server and the client's browser, because they are the only two entities who can decrypt the traffic. HTTPS connections are also more secure because the data a client exchanges with the server can't be modified by another party. Aside from security benefits mentioned above, there are other reasons to use HTTPS in addition to HTTP. For example, in 2014 Google began ranking secure websites higher in search results. In other words, a site that uses HTTPS ranks closer to the top of search results compared to a site that only uses HTTP (all other things being equal). [Learn more about HTTPS as a ranking signal](https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html) ## Process overview The process to use a Lightsail certificate is simple. It involves the following steps: 1. Create your Lightsail resource that can use a Lightsail certificate, such as a load balancer, CDN distribution, or container service. 1. Create a certificate for your domain using Lightsail. 1. Validate the certificate by adding a canonical name (CNAME) record to the DNS of your domain 1. Attach the validated certificate to your Lightsail resource. 1. Modify the DNS of your domain to route traffic to your Lightsail resource. ![\[HTTPS process overview\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/create-certificate-process-summary.png) After the certificate is attached to the resource, the traffic that is routed to that resource through the domain is encrypted using HTTPS. ## Use SSL/TLS certificates with your distribution or container service HTTPS is required on Lightsail distributions and container services. When you create either of those resources, HTTPS is enabled by default for the resource's default domain (e.g., `https://123456abcdef.cloudfront.net/` for a distribution or `https://container-service-1.123456abcdef.us-west-2.cs.amazonlightsail.com/` for a container service). If you want to use your registered domain name (e.g., `example.com`) with your distribution or container service, you must create a Lightsail SSL/TLS certificate, validate it with your domain name, and enable custom domains on your resource. Enabling custom domains on your distribution or container service also attaches your domain's validated certificate to your resource. You can get started with enabling custom domains and HTTPS on your distribution by following these links. + [Create SSL/TLS certificates for your distribution](amazon-lightsail-create-a-distribution-certificate.md) + [Validate SSL/TLS certificates for your distribution](amazon-lightsail-validating-a-distribution-certificate.md) + [View SSL/TLS certificates for your distribution](amazon-lightsail-viewing-distribution-certificates.md) + [Enable custom domains for your distribution](amazon-lightsail-enabling-distribution-custom-domains.md) + [Point your domain to a distribution](amazon-lightsail-point-domain-to-distribution.md) For more information about distributions, see [Content delivery network distributions](amazon-lightsail-content-delivery-network-distributions.md). You can get started with enabling custom domains and HTTPS on your container service by following these links. + [Create container service SSL/TLS certificates](amazon-lightsail-creating-container-services-certificates.md) + [Validate container service SSL/TLS certificates](amazon-lightsail-validating-container-services-certificates.md) + [Enable and manage custom domains](amazon-lightsail-enabling-container-services-custom-domains.md) For more information about container services, see [Container services](amazon-lightsail-container-services.md). ## Use SSL/TLS certificates with your load balancer When you create a Lightsail load balancer, port 80 is open by default to handling regular HTTP traffic. To enable HTTPS traffic over port 443, you must create an SSL/TLS certificate, validate it with your domain name, and attach it to your load balancer. You can create up to two SSL/TLS certificates per load balancer. Only one certificate can be in use at a time per load balancer. If you delete a valid, in-use certificate from your load balancer, your load balancer is no longer be able to handle HTTPS traffic for the specified domain until you attach another valid certificate. You can get started with enabling HTTPS on your load balancer by following these links. + [Create a load balancer and attach instances to it](create-lightsail-load-balancer-and-attach-lightsail-instances.md) + [Create an SSL/TLS certificate](create-tls-ssl-certificate-and-attach-to-lightsail-load-balancer-https.md) + [Verify domain ownership](verify-tls-ssl-certificate-using-dns-cname-https.md) + [Attach your validated certificate to enable HTTPS](attach-validated-certificate-to-load-balancer.md) For more information about load balancers, see [Load balancers](understanding-lightsail-load-balancers.md). # Create SSL/TLS certificates for secure Lightsail container service domains Container certificates You can create Amazon Lightsail TLS/SSL certificates for your Lightsail container service. When you create a certificate, you specify the primary and alternate domain names for the certificate. When you enable custom domains for your container service, and choose the certificate, you can choose up to four domains from the certificate that will be added as the custom domains of your container service. After you update the DNS record of your domains to direct traffic to your container service, your service accepts the traffic and serves your content using HTTPS. There is a quota for the number of certificates that you can create. For more information, see [Lightsail service quotas](https://docs.aws.amazon.com/general/latest/gr/lightsail.html). For more information about SSL/TLS certificates, see [Container service certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). ## Prerequisites Before you get started, you need to create a Lightsail container service. For more information, see [Create a container services](amazon-lightsail-creating-container-services.md) and [Container services](amazon-lightsail-container-services.md). ## Create an SSL/TLS certificate for your container service Complete the following procedure to create an SSL/TLS certificate for your container service. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which want to create a certificate. 1. Choose the **Custom domains** tab on your container service management page. 1. Scroll down to the **Attached certificates** section of the page. All of your certificates are listed under the Attached certificates section of the page, including certificates created for other Lightsail resources, and certificates that are in use and not in use. 1. Choose **Create certificate**. 1. Enter a unique name in the **Certificate name** text box to identify your certificate. Then, choose **Continue**. 1. Enter the primary domain name (e.g., `example.com`) that you want to use with the certificate into the **Specify up to 10 domains or subdomains** field. 1. (Optional) Enter another domain name (e.g., www.example.com) into the **Specify up to 10 domains or subdomains** field. You can add up to nine alternate domains to your certificate. You can use up to four of your certificate's domains with your container service after you enable custom domains and select the certificate for your service. 1. Choose **Create certificate**. Your certificate request is submitted, and the status of your new certificate is changed to **Attempting to validate your certificate**. During this time, Lightsail attempts to add the certificate's validation record to the DNS of the primary domain. After a while, the status will change to **Valid**. If automatic validation fails you will be required to validate the certificate with your domains before you can use it with your container service. For more information, see [Validate container service SSL/TLS certificates](amazon-lightsail-validating-container-services-certificates.md). **Topics** + [ ## Prerequisites ](#creating-container-service-certificate-prerequisites) + [ ## Create an SSL/TLS certificate for your container service ](#creating-container-service-certificate) + [Validate certificates](amazon-lightsail-validating-container-services-certificates.md) + [View certificates](amazon-lightsail-viewing-container-services-certificates.md) # Validate SSL/TLS certificates for Lightsail container services Validate certificates An Amazon Lightsail SSL/TLS certificate must be validated after it's created, and before you can use it with your Lightsail container service. After your certificate request is submitted, the status of your new certificate is changed to **Attempting to validate your certificate**. During this time, Lightsail attempts to add the certificate's validation record to the DNS of the domain names that you specified for the certificate. After a while, the status will change to **Valid**, or **Validation timed out**. If automatic validation fails you must verify that you control all the domain names that you specified for the certificate when you created it. You do this by adding canonical name (CNAME) records to the DNS zone of each of the domains specified on the certificate. The records that you need to add are listed in the **Validation details** section of the certificate. In this guide, we provide you with the procedure to manually validate your certificate using a Lightsail DNS zone. The procedure to validate your certificate using a different DNS hosting provider, like Domain.com or GoDaddy, might be similar. For more information about Lightsail DNS zones, see [DNS](understanding-dns-in-amazon-lightsail.md). For more information about SSL/TLS certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). ## Prerequisite Before you get started, you need to create an SSL/TLS certificate for your container service. For more information, see [Create SSL/TLS certificates for your container services](amazon-lightsail-creating-container-services-certificates.md). ## Get the CNAME record values to validate your certificate Complete the following procedure to get the CNAME records that you must add to your domains to validate the certificate. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which want to create a certificate. 1. Choose the **Custom domains** tab on your container service management page. 1. Scroll down to the **Attached certificates** section of the page. All of your certificates are listed under the **Attached certificates** section of the page, including certificates created for other Lightsail resources, and certificates that are pending validation. 1. Find the certificate that you want to validate, expand **Validation details**, and make note of the **Name** and **Value** of the CNAME records that you must add for each domain listed. You must add these records exactly as listed. We recommend that you copy and paste these values into a text file that you can refer to later. For more information, see the following [Add the CNAME records to your domain's DNS zone](#add-container-service-certificate-cname) section of this guide. ## Add the CNAME records to your domain's DNS zone Complete the following procedure to add CNAME records to your domain's DNS zone. 1. In the left navigation pane, choose **Domains & DNS**. 1. Under the **DNS zones** section of the page, choose the domain name to which you want to add the CNAME records to validate your certificate. 1. Choose the **DNS records** tab. 1. Choose **Add record** in the DNS records management page. 1. Choose **CNAME** in the **Record type** drop-down. 1. In the **Record name** text box, enter the **Name** value of the CNAME record that you got from your certificate. The Lightsail console pre-populates the apex portion of your domain. For example, if you want to add the `www.example.com` subdomain, then you only have to enter `www` into the text box, and Lightsail adds the `.example.com` portion for you when you save the record. 1. In the **Route traffic to** text box, enter the **Value** portion of the CNAME record that you got from your certificate. 1. Confirm that the values you entered are exactly as they were listed on the certificate that you want to validate. 1. Choose the save icon to save the record to your DNS zone. Repeat these steps to add additional CNAME records for domains on your certificate that need to be validated. Allow time for changes to propagate through the internet's DNS. After a few minutes, you should see if the status of your certificate has changed to **Valid**. For more information, see the following [View the status of your certificate](#view-container-service-certificate-status) section of this guide. ## View the status of your certificate Complete the following procedure to view the status of your SSL/TLS certificate. 1. In the left navigation pane, choose **Containers**. 1. Choose the name of the container service for which you want to view a certificate's status. 1. Choose the **Custom domains** tab on your container service management page. 1. Scroll down to the **Attached certificates** section of the page. All of your certificates are listed under the **Attached certificates** section of the page, including certificates with **Pending** validation and **Valid** statuses. **Note** If you left the **Custom domains** page open while validating your certificates, you might have to refresh to see the updated status of your certificates. A **Valid** status confirms that you successfully validated your certificate with the CNAME records that you added to your domains. Choose **Details** to view your certificate's important dates, encryption details, identification, and validation records. Your certificates are valid for 13 months from the date on which you validated them, after which time Lightsail attempts to automatically re-validate them. Don't delete the CNAME records that you added to your domain because they are required when your certificate is re-validated on the **Valid until** date listed. After you validate your SSL/TLS certificate, you should enable custom domains for your container service to use the domain names of your certificate on your service. For more information, see [Enable and manage custom domains for your container services](amazon-lightsail-enabling-container-services-custom-domains.md). # View SSL/TLS certificates for Lightsail container services View certificates You can view the Amazon Lightsail SSL/TLS certificates that you created for your Lightsail container service. You do this by accessing the management page of any container service in the Lightsail console. For more information about SSL/TLS certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). ## Prerequisites Before you get started, you need to create a Lightsail container service. For more information, see [Creating Amazon Lightsail container services](amazon-lightsail-creating-container-services.md) and [Container services](amazon-lightsail-container-services.md). You also should have created an SSL/TLS certificate for your container service. For more information, see [Create container service SSL/TLS certificates](amazon-lightsail-creating-container-services-certificates.md). ## View your container service SSL/TLS certificates Complete the following procedure to view your container service SSL/TLS certificates. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Containers**. 1. Choose the name of a container service. You can view all of your certificates regardless of the container service you choose. 1. Choose the **Custom domains** tab on your container service management page. 1. Scroll down to the **Attached certificates** section of the page. All of your certificates are listed under the **Attached certificates** section of the page. Choose **Details** to view your certificate's important dates, encryption details, identification, and domains. Choose **Validation details** to view your certificate's validation records. Your certificates are valid for 13 months from the date you created them, after which time Lightsail attempts to automatically revalidate them. Don't delete the CNAME records that you added to your domain because they are required when your certificate is re-validated on the **Valid until** date listed. After you have a valid SSL/TLS certificate to use with your container service, you should enable custom domains so that you can use the domain names of the certificate on your service. For more information, see [Enable and manage custom domains](amazon-lightsail-enabling-container-services-custom-domains.md). # Secure Lightsail CDN distributions with SSL/TLS certificates Distribution certificates You can create Amazon Lightsail TLS/SSL certificates for your Lightsail distributions. When you create a certificate, you specify the primary and alternate domain names for the certificate. When you enable custom domains for your distribution, and choose the certificate, those domains are added as the custom domains of your distribution. After you update the DNS record of your domains to point to your distribution, your distribution accepts the traffic and serves your content using HTTPS. There is a quota for the number of certificates that you can create. For more information, see [Lightsail service quotas](https://docs.aws.amazon.com/general/latest/gr/lightsail.html#limits_lightsail). For more information about SSL/TLS certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). **Important** The domain names you specify when creating an SSL/TLS certificate for your distribution cannot be in use by another distribution across all Amazon Web Services (AWS) accounts, including distributions on the Amazon CloudFront service. You will be able to create the certificate for the domains, but you will not be able to use the certificate with your distribution. ## Prerequisite Before you get started, you need to create a Lightsail distribution. For more information, see [Create a distribution](amazon-lightsail-creating-content-delivery-network-distribution.md) and [Content delivery network distributions](amazon-lightsail-content-delivery-network-distributions.md). ## Create an SSL/TLS certificate for your distribution Complete the following procedure to create an SSL/TLS certificate for your distribution. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Networking**. 1. Choose the name of the distribution for which want to create a certificate. 1. Choose the **Custom domains** tab on your distribution's management page. 1. Scroll down to the **Attached certificates** section of the page. All of your distribution certificates are listed under the **Attached certificates** section of the page, including certificates created for other distributions, and certificates that are in use and not in use. 1. Choose **Create certificate**. 1. Enter a unique name in the **Certificate name** text box to identify your certificate. Then, choose **Continue**. 1. Enter the primary domain name (e.g., `example.com`) that you want to use with the certificate into the **Specify up to 10 domains or subdomains** field. 1. (Optional) Enter alternate domain names (e.g., `www.example.com`) into the remaining **Specify up to 10 domains or subdomains** fields. You can add up to nine alternate domains to your certificate. You will be able to use all of your certificate's domains with your distribution after you enable custom domains and select the certificate for your distribution. 1. Choose **Create**. Your certificate request is submitted, and the status of your new certificate is changed to **Attempting to validate your certificate**. During this time, Lightsail attempts to add the certificate's validation record to the DNS of the primary domain. After a while, the status will change to **Valid**. If automatic validation fails, you will be required to validate the certificate with your domains before you can use it with your distribution. For more information, see [Validate SSL/TLS certificates for your distribution](amazon-lightsail-validating-a-distribution-certificate.md). **Topics** + [ ## Prerequisite ](#create-distribution-prerequisite) + [ ## Create an SSL/TLS certificate for your distribution ](#create-distribution-certificate) + [View SSL/TLS certificates](amazon-lightsail-viewing-distribution-certificates.md) + [Validate SSL/TLS certificates](amazon-lightsail-validating-a-distribution-certificate.md) + [Configure TLS protocol](amazon-lightsail-configure-distribution-tls-version.md) + [Delete distribution certificates](amazon-lightsail-deleting-distribution-certificates.md) # View SSL/TLS certificates for Lightsail distributions View SSL/TLS certificates You can view the Amazon Lightsail SSL/TLS certificates that you created for your Lightsail distributions. You do this by accessing the management page of any distribution in the Lightsail console. For more information about SSL/TLS certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). ## Prerequisites Before you get started, you need to create a Lightsail distribution. For more information, see [Create a distribution](amazon-lightsail-creating-content-delivery-network-distribution.md) and [Content delivery network distributions](amazon-lightsail-content-delivery-network-distributions.md). You also should have created an SSL/TLS certificate for your distribution. For more information, see [Create SSL/TLS certificates for your distribution](amazon-lightsail-create-a-distribution-certificate.md). ## View your distribution SSL/TLS certificates Complete the following procedure to view your distribution SSL/TLS certificates. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Networking**. 1. Choose the name of a distribution. You can view all of your certificates regardless of the distribution you choose. 1. Choose the **Custom domains** tab on your distribution's management page. 1. Scroll down to the **Attached certificates** section of the page. All of your distribution certificates are listed under the **Attached certificates** section of the page. Expand **Validation details** to view your certificate's important dates, encryption details, identification, and validation records. Your certificates are valid for 13 months from the date you created them, after which time Lightsail attempts to automatically revalidate them. Don't delete the CNAME records that you added to your domain because they are required when your certificate is re-validated on the **Valid until** date listed. After you have a valid SSL/TLS certificate to use with your distribution, you should enable custom domains so that you can use the domain names of the certificate on your distribution. For more information, see [Enable custom domains for your distribution](amazon-lightsail-enabling-distribution-custom-domains.md). # Validate SSL/TLS certificates for Lightsail distributions Validate SSL/TLS certificates An Amazon Lightsail SSL/TLS certificate must be validated after it's created, and before you can use it with your Lightsail distribution. After your certificate request is submitted, the status of your new certificate is changed to **Attempting to validate your certificate**. During this time, Lightsail attempts to add the certificate's validation record to the DNS of the domain names that you specified for the certificate. After a while, the status will change to **Valid**, or **Validation timed out**. If automatic validation fails you must verify that you control all the domain names that you specified for the certificate when you created it. You do this by adding canonical name (CNAME) records to the DNS zone of each of the domains specified on the certificate. The records that you need to add are listed in the **Validation details** section of the certificate. In this guide, we provide you with the procedure to manually validate your certificate using a Lightsail DNS zone. The procedure to validate your certificate using a different DNS hosting provider, like Domain.com or GoDaddy, may be similar. For more information about Lightsail DNS zones, see [DNS](understanding-dns-in-amazon-lightsail.md). For more information about SSL/TLS certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). **Contents** + [Prerequisite](#validate-distribution-certificate-prerequisite) + [Get the CNAME record values to validate your certificate](#get-distribution-certificate-cname-records) + [Add the CNAME records to your domain's DNS zone](#add-distribution-certificate-cname-records) + [View the status of your distribution certificate](#viewing-distribution-certificate-status) ## Prerequisite Before you get started, you need to create an SSL/TLS certificate for your distribution. For more information, see [Create SSL/TLS certificates for your distribution](amazon-lightsail-create-a-distribution-certificate.md). ## Get the CNAME record values to validate your certificate Complete the following procedure to get the CNAME records that you must add to your domains to validate the certificate. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Networking**. 1. Choose the name of the distribution for which want to get the CNAME record values of a certificate. ![\[Networking section of the Lightsail home page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-home-page-networking.png) 1. Choose the **Custom domains** tab on your distribution's management page. ![\[Custom domains tab of a Lightsail distribution.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-distribution-custom-domains-tab.png) 1. Scroll down to the **Attached certificates** section of the page. All of your distribution certificates are listed under the **Attached certificates** section of the page, including certificates created for other Lightsail resources, and certificates that are pending validation. 1. Find the certificate that you want to validate, expand **Validation details**, and make note of the **Name** and **Value** of the CNAME records that you must add for each domain listed. You must add these records exactly as listed. We recommend that you copy and paste these values into a text file that you can refer to later. For more information, see the following [Add the CNAME records to your domain's DNS zone](#add-distribution-certificate-cname-records) section of this guide. ## Add the CNAME records to your domain's DNS zone Complete the following procedure to add CNAME records to your domain's DNS zone. 1. In the left navigation pane, choose **Domains & DNS**. 1. Under the **DNS zones** section of the page, choose the domain name to which you want to add the CNAME records to validate your certificate. 1. Choose the **DNS records** tab. 1. Choose **Add record** in the DNS records management page. 1. Choose **CNAME** in the **Record type** drop-down. 1. In the **Record name** text box, enter the **Name** value of the CNAME record that you got from your certificate. The Lightsail console pre-populates the apex portion of your domain. For example, if you want to add the `www.example.com` subdomain, then you only have to enter `www` into the text box, and Lightsail adds the `.example.com` portion for you when you save the record. 1. In the **Route traffic to** text box, enter the **Value** portion of the CNAME record that you got from your certificate. 1. Confirm that the values you entered are exactly as they were listed on the certificate that you want to validate. 1. Choose the save icon to save the record to your DNS zone. Repeat these steps to add additional CNAME records for domains on your certificate that need to be validated. Allow time for changes to propagate through the internet's DNS. After a few minutes, you should see if the status of your distribution certificate has changed to **Valid**. For more information, see the following [View the status of your distribution certificate](#viewing-distribution-certificate-status) section of this guide. ## View the status of your distribution certificate Complete the following procedure to view the status of your SSL/TLS certificate for your distribution. 1. In the left navigation pane, choose **Networking**. 1. Choose the name of the distribution for which you want to view a certificate's status. ![\[Networking section of the Lightsail home page.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-home-page-networking.png) 1. Choose the **Custom domains** tab on your distribution's management page. ![\[Custom domains tab of a Lightsail distribution.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-distribution-custom-domains-tab.png) 1. Scroll down to the **Attached certificates** section of the page. All of your distribution certificates are listed under the **Attached certificates** section of the page, including certificates with **Pending validation** and **Valid** statuses. ![\[Validated SSL/TLS certificate\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/lightsail-validated-certificate.png) A **Valid** status confirms that you successfully validated your certificate with the CNAME records that you added to your domains. Choose **Details** to view your certificate's important dates, encryption details, identification, and validation records. Your certificates are valid for 13 months from the date on which you validated them, after which time Lightsail attempts to automatically re-validate them. Don't delete the CNAME records that you added to your domain because they are required when your certificate is re-validated on the **Valid until** date listed. After you validate your SSL/TLS certificate, you should enable custom domains for your distribution to use the domain names of your certificate on your distribution. For more information, see [Enable custom domains for your distribution](amazon-lightsail-enabling-distribution-custom-domains.md). # Secure your Lightsail distribution with minimum TLS protocol version Configure TLS protocol Amazon Lightsail uses SSL/TLS certificates to validate custom (registered) domains that you can use with your Lightsail distribution. This guide provides information about the viewer minimum TLS protocol versions (protocol versions) that you can configure for your SSL/TLS certificate. For more information about SSL/TLS certificates, see [SSL/TLS certificates in Lightsail](understanding-tls-ssl-certificates-in-lightsail-https.md). A viewer is an application that makes HTTP requests to the edge locations that are associated to your Lightsail distribution. For more information about distributions, see [Content delivery network distributions in Lightsail](amazon-lightsail-content-delivery-network-distributions.md). The `TLSv1.2_2021` protocol version is configured by default when you enable custom domains for a distribution. You can configure a different protocol version, as described later in this guide. Lightsail distributions do not support custom TLS protocol versions. ## Supported protocols Lightsail distributions can be configured with the following TLS protocols: + (Recommended) TLSv1.2\$12021 + TLSv1.2\$12019 + TLSv1.2\$12018 + TLSv1.1\$12016 ## Prerequisites Complete the following prerequisites if you haven't already: + [Create a Lightsail content delivery network distribution](amazon-lightsail-creating-content-delivery-network-distribution.md) + [Create SSL/TLS certificates for your distribution](amazon-lightsail-create-a-distribution-certificate.md) + [Validate SSL/TLS certificates for your distribution](amazon-lightsail-validating-a-distribution-certificate.md) + [Enable custom domains for your distribution](amazon-lightsail-point-domain-to-distribution.md) + [Point your domain to the distribution](amazon-lightsail-point-domain-to-distribution.md) ## Identify the minimum TLS protocol version for your distribution Complete the following steps to identify the minimum TLS protocol version for your Lightsail distribution **Note** In this guide, you will use AWS CloudShell to perform the upgrade. CloudShell is a browser-based, pre-authenticated shell that you can launch directly from the Lightsail console. With CloudShell, you can run AWS CLI commands using your preferred shell, such as Bash, PowerShell, or Z shell. You can do this without downloading or installing command line tools. For more information about how to set up and use CloudShell, see For more information, see [AWS CloudShell in Lightsail](amazon-lightsail-cloudshell.md). 1. Open a Terminal, [AWS CloudShell](amazon-lightsail-cloudshell.md), or Command Prompt window. 1. Enter the following command to identify the minimum TLS protocol version for your Lightsail distribution. ``` aws lightsail get-distributions --distribution-name DistributionName --region us-east-1 | grep "viewerMinimumTlsProtocolVersion" ``` In the command, replace *DistributionName* with the name of the distribution you want to modify. **Example** ``` aws lightsail get-distributions --distribution-name Distribution-1 --region us-east-1 | grep "viewerMinimumTlsProtocolVersion" ``` The command will return the ID of the minimum TLS protocol version for your distribution. **Example** ``` "viewerMinimumTlsProtocolVersion": "TLSv1.2_2021" ``` ## Configure the minimum TLS protocol version using the AWS CLI Complete the following procedure to configure the TLS protocol version using the AWS Command Line Interface (AWS CLI). You do this by using the `update-distribution` command. For more information, see the [update-distribution attribute](https://docs.aws.amazon.com/cli/latest/reference/lightsail/update-distribution.html) in the *AWS CLI Command Reference*. 1. Open a Terminal, [AWS CloudShell](amazon-lightsail-cloudshell.md), or Command Prompt window. 1. Enter the following command to change the minimum TLS protocol version for your distribution. ``` aws lightsail update-distribution --distribution-name DistributionName --viewer-minimum-tls-protocol-version ProtocolVersion ``` In the command, replace the following example text with your own: + *DistributionName* with the name of the distribution that you want to update. + *ProtocolVersion* with the valid TLS protocol version. For example `TLSv1.2_2021` or `TLSv1.2_2019`. Example: ``` aws lightsail update-distribution --distribution-name MyDistribution --viewer-minimum-tls-protocol-version TLSv1.2_2021 ``` Your change takes a few moments to become effective. # Delete unused SSL/TLS certificates from Lightsail distributions Delete distribution certificates **Warning** Deleting an SSL/TLS certificate is final and can't be undone. You can delete Amazon Lightsail SSL/TLS certificates that you're no longer using on your distributions. For example, your certificate might be expired and you've already attached an updated certificate that's validated. For more information about certificates, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). For more information about distributions, see [Content delivery network distributions](amazon-lightsail-content-delivery-network-distributions.md). You have a quota of certificates that you can create over a 365-day period. For more information, see [Lightsail service quotas](https://docs.aws.amazon.com/general/latest/gr/lightsail.html#limits_lightsail) in the *AWS General Reference*. ## Delete an SSL/TLS certificate for your distribution **Important** The **Delete** option is unavailable if the certificate you want to delete is in use. To delete certificates that are in use, you must first change the custom domains of the distribution that are using the certificate, or disable custom domains on the distribution that are using the certificate. Complete the following procedure to delete an SSL/TLS certificate for your distribution. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Networking**. 1. Choose the name of the distribution from which you want to delete the SSL/TLS certificate. If the certificate is not currently in use, then you can choose any distribution because all of your certificates are listed in every distribution. 1. Choose the **Custom domains** tab on your distribution's management page. 1. In the **Certificates** section of the page, choose the ellipsis icon (⋮) for the certificate that you want to delete, and choose **Delete**. The **Delete** option is unavailable if the certificate you want to delete is in use. To delete certificates that are in use, you need to first change the custom domains of the distribution that is using the certificate, or disable custom domains on the distribution that is using the certificate. For more information, see [Change custom domains for your distribution](amazon-lightsail-changing-distribution-custom-domains.md) and [Enable custom domains for your distribution](amazon-lightsail-disabling-distribution-custom-domains.md#amazon-lightsail-disabling-distribution-custom-domains.title). 1. Choose **Yes, delete** to confirm the deletion. # Enable HTTPS with an SSL/TLS certificate for your Lightsail load balancer Load balancer certificates After you create a Lightsail load balancer, you can attach a Transport Layer Security (TLS) certificate to enable HTTPS. The SSL/TLS certificate lets your load balancer handle encrypted web traffic so that you can provide a more secure experience for your users. To learn more, see [SSL/TLS certificates](understanding-tls-ssl-certificates-in-lightsail-https.md). ## Prerequisites Before you get started, you will need the following. + A Lightsail load balancer. To learn more, see [Create a load balancer](create-lightsail-load-balancer-and-attach-lightsail-instances.md). ## Create the certificate request 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. In the left navigation pane, choose **Networking**. 1. Choose the name of the load balancer for which you want to configure an SSL/TLS certificate. 1. Choose the **Custom domains** tab. 1. Choose **Create certificate**. 1. Enter a name for your certificate or accept the default. Resource names: + Must be unique within each AWS Region in your Lightsail account. + Must contain 2 to 255 characters. + Must start and end with an alphanumeric character or number. + Can include alphanumeric characters, numbers, periods, dashes, and underscores. 1. Enter your primary domain (`www.example.com`), and up to 9 alternate domains or subdomains. For more information, see [Add alternate domains and subdomains to your SSL/TLS certificate](add-alternate-domain-names-to-tls-ssl-certificate-https.md) 1. Choose **Create certificate**. Lightsail begins the validation process. You have 72 hours to verify that you own your domain. After you create your certificate, you see the certificate along with the domain name and all your alternate domains and subdomains. You need to create a DNS record for each domain and subdomain. ## Next step + [Verify that you own your domain](verify-tls-ssl-certificate-using-dns-cname-https.md) **Topics** + [ ## Prerequisites ](#create-ssl-tls-certificate-prerequisites) + [ ## Create the certificate request ](#create-ssl-tls-certificate) + [ ## Next step ](#create-ssl-tls-certificate-next-steps) + [Add alternate domains](add-alternate-domain-names-to-tls-ssl-certificate-https.md) + [Verify SSL/TLS certificates](verify-tls-ssl-certificate-using-dns-cname-https.md) + [Attach certificate to load balancer](attach-validated-certificate-to-load-balancer.md) + [Remove SSL/TLS certificate](delete-tls-ssl-certificate-lightsail-load-balancer-https.md) # Add alternate domains and subdomains to your Lightsail SSL/TLS certificate Add alternate domains When you create your SSL/TLS certificate for your Lightsail load balancer, you can add alternate domains and subdomains to it. These alternate names help ensure that all traffic to your load balancer is encrypted. When you specify a primary domain, you can use a fully qualified domain name such as `www.example.com` or an apex domain name such as `example.com`. The total number of domains and subdomains must not exceed 10, so you can add up to 9 alternate domains and subdomains to your certificate. You might want to add entries similar to the following list. + example.com + example.net + blog.example.com + myexamples.com ## To create a certificate with alternate domains and subdomains 1. If you don't have one yet, [Create a load balancer](create-lightsail-load-balancer-and-attach-lightsail-instances.md). 1. In the left navigation pane, choose **Networking**. 1. Choose your Lightsail load balancer. 1. Choose the **Custom domains** tab. 1. Choose **Create certificate**. 1. Enter a name for your certificate or accept the default name. Resource names: + Must be unique within each AWS Region in your Lightsail account. + Must contain 2 to 255 characters. + Must start and end with an alphanumeric character or number. + Can include alphanumeric characters, numbers, periods, dashes, and underscores. 1. Enter your primary domain (`www.example.com`), and up to 9 alternate domains or subdomains. 1. Choose **Create certificate**. Once created, you have 72 hours to verify that you own your domain. ## Next steps + [Verify domain ownership using DNS](verify-tls-ssl-certificate-using-dns-cname-https.md) Once verified, you can select your validated certificate to associate it with your Lightsail load balancer. + [Enable session persistence](update-settings-for-lightsail-load-balancer-health-check-path-https-session-stickiness-persistence-cookie-duration.md) # Verify SSL/TLS certificate domains with CNAME records in Lightsail Verify SSL/TLS certificates After you create an SSL/TLS certificate in Lightsail, you need to verify that you control all the domains and subdomains that you added to the certificate. **Contents** + [Step 1: Create a Lightsail DNS zone for your domain](#verify-ssl-tls-create-dns-zone) + [Step 2: Add records to your domain's DNS zone](#verify-ssl-tls-create-dns-records) + [Next step](#verify-ssl-tls-next-step) ## Step 1: Create a Lightsail DNS zone for your domain If you haven't done so already, create a Lightsail DNS zone for your domain. For more information, see [Create a DNS zone to manage your domain’s DNS records](lightsail-how-to-create-dns-entry.md) ## Step 2: Add records to your domain's DNS zone The certificate that you created provides a set of canonical name (CNAME) records. You add these records to your domain's DNS zone to verify that you own or control that domain. **Important** Lightsail will attempt to automatically verify that you control the domains or subdomains you specified while creating the certificate. After you select **Create certificate**, the CNAME records will be added to your domain's DNS zone. The certificate's status will change from **Attempting to validate your certificate**, to **Valid, in use** if automatic validation is successful. Proceed to the following steps if automatic validation fails. In the following steps, we will show you how to get the CNAME records and add them to your domain's DNS zone in the Lightsail console. 1. Sign in to the [Lightsail console](https://lightsail.aws.amazon.com/). 1. On the Lightsail home page, choose your user or role on the top navigation menu. 1. Choose **Account** in the dropdown menu. ![\[Lightsail account tab\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-console-account-menu.png) 1. Choose the **Certificates** tab. 1. Find the certificate that you want to verify, and make note of the **Name** and **Value** of the CNAME records that you must add for each domain Press **Ctrl\$1C** if you’re using Windows, or **Cmd\$1C** if you’re using Mac, to copy them to your clipboard. ![\[Certificate pending validation with domains and subdomains.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example.certificate-validation-with-subdomains.png) 1. Open a text editor, such as Notepad if you're using Windows, or TextEdit if you're using Mac. In the text file, press **Ctrl\$1V** if you’re using Windows, or **Cmd\$1V** if you’re using Mac, to paste the values into the text file. Leave this text file open; you will need these CNAME values when adding the records to your domain's DNS zone later in this guide. ![\[Text file with certificate CNAME records.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/amazon-lightsail-ssl-tls-cname-records-text-file.png) 1. Choose **Home** on the top navigation bar of the Lightsail console. 1. Choose **Domains & DNS** on the Lightsail home page. 1. Choose the DNS zone for the domain that will use the certificate. 1. Choose **Add record** in the **DNS records** tab. 1. Choose **CNAME** for the record type. 1. Toggle to the text file that contains the CNAME records for your certificates. Copy the **Name** of the CNAME record. For example, `_1bfb0b9ef15a50f9041e559d2c67b760`. 1. Toggle to the DNS records page and paste the **Name** into the **Record name** field. **Important** Adding a CNAME record that contains the domain name (such as `.example.com`) will result in duplication of the domain name (such as `.example.com.example.com`). To avoid duplication, edit the entry so that only the part of the CNAME that you need is added. This would be `_1bfb0b9ef15a50f9041e559d2c67b760`. 1. Copy the **Value** of the CNAME record. For example, `_c9a0c385eda13283350e35f297469a13.hkvuiqjoua.acm-validations.aws.`. 1. Toggle to the DNS records page and paste the **Value** into the **Route traffic to** field. 1. Choose **Save** to add the record. 1. If you have alternate subdomains, choose **Add record** to add another record. **Note** To learn more about alternate domains or subdomains, see [Add alternate domains and subdomains to your SSL/TLS certificate in Amazon Lightsail](add-alternate-domain-names-to-tls-ssl-certificate-https.md). 1. Repeat steps 11 - 17 to add the CNAME record(s) for the alternate subdomains. You can also [add an alias (A) record to point to your load balancer](add-alias-record-for-lightsail-load-balancer.md), or other Lightsail resources while you're on the DNS zone management page. When finished, your DNS zone should look like the following screenshot. ![\[CNAMES in Lightsail ready to be submitted for validation.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/dns-validation-cname-with-alternate-names.png) After some time, your domain is verified and you will see the following message on the certificate. ![\[Successful validation of domain.\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example-com-verified-and-ready-to-use.png) ## Next step Once your domain is verified, you are ready to [Attach a validated SSL/TLS certificate to your load balancer](attach-validated-certificate-to-load-balancer.md). # Attach a validated SSL/TLS certificate to your Lightsail load balancer Attach certificate to load balancer After you verify that you control your domain, the certificate's status will change to **Valid**. ![\[Successful validation of domain\]](http://docs.aws.amazon.com/lightsail/latest/userguide/images/example-com-verified-and-ready-to-use.png) Your next step is to attach the certificate to your Lightsail load balancer. 1. From the Lightsail home page, choose **Networking**. 1. Choose your load balancer. 1. Choose the **Custom domains** tab. 1. In the **Certificates** section, choose **Attach certificate**. 1. Select a certificate from the dropdown list. 1. Choose **Attach**, to attach the certificate. # Remove SSL/TLS certificates from a Lightsail load balancer Remove SSL/TLS certificate You can delete an SSL/TLS certificate that you're no longer using. For example, your certificate might be expired and you've already attached an updated certificate that's validated. If you want to duplicate your certificate before deleting it, you can choose **Duplicate** from the same shortcut menu in step 5, below. **Important** If the certificate you're deleting is valid and in use, your load balancer will no longer be able to handle encrypted (HTTPS) traffic. Your Lightsail load balancer will still support unencrypted (HTTP) traffic. Deleting an SSL/TLS certificate is final and can't be undone. You have a quota of certificates you can create over a 365-day period. For more information, see [Quotas](http://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html) in the AWS Certificate Manager User Guide. 1. In the left navigation pane, choose **Networking**. 1. Choose the load balancer where your SSL/TLS certificate is attached. 1. Choose the **Inbound traffic** tab on your load balancer's management page. 1. In the **Certificates** section of the page, choose the ellipsis icon (⋮) for the certificate that you want to delete, and choose **Delete**. The **Delete** option is unavailable if the certificate you want to delete is in use. To delete certificates that are in use, you need to first change the certificate of the load balancer that is using the certificate, or disable HTTPS on the load balancer that is using the certificate.