Cheap Wildcard SSL Certificate with AWS Route 53 and Certificate Manager

Using AWS Route 53 and AWS Certificate Manager to register a domain with SSL certificate.

Victor Leong
4 min readDec 9, 2017


AWS Route 53 and AWS Certificate Manager allow you to setup a domain with a FREE SSL certificate. Here’s how.

AWS Route53

Firstly register your domain with AWS Route 53. Do all the verifications required. A .com domain costs 12 bucks a year. Other costs include hosted zone, at 25 cents per hosted zone per month.

AWS Certificate Manager

Next head over to Certificate Manager. Click “Request a certificate” and key in the domain name that you want to serve over SSL. If I were you, add the wildcard domain name on top of the root domain name. This will cover all first-level subdomains and the root domain of your domain.

Wildcard SSL certificate FTW!

Complete the process which includes validation and … that’s it. No extra payment! You will get a good solid wildcard SSL certificate…



To use these SSL certificates, you can only use it with the AWS services that can be utilised as endpoints. Some of them include CloudFront, Elastic Load Balancer etc.

This means you cannot export the certificate and use it on a standalone EC2 instance. Always have to go through the AWS services.

Why is using Route 53 better?

  • It costs north of $100 annually for each wildcard certificate. You now get it for free.
  • No more SSL certificate renewal hassle.
  • No more custom configurations for the SSL.
  • No more extra configurations for the SSL to score your A grade on SSLLabs.
  • AWS Shield Standard to guard against DDOS and other common attacks for free.


You now have to pay for each api request going through Route 53. It starts at 40 cents per million requests per month for the first billion requests.

If these charges are something of a concern, that means your site has a pretty big traffic. And if that is the case, the other features of AWS Route 53 might be of interest to you to consider sticking to AWS Route 53.

AWS Route 53 has various routing policies like geolocation and latency based ones to decide how to route each request coming through itself to whichever resources. For instance, geolocation policies can route users in Australia to the Sydney load balancer and the Indian users to the Dehli one. Latency based policies can route the US traffic from the Ohio servers to the Oregon ones if the Ohio servers are experiencing high traffic and therefore high latency, perhaps due to the people in the east waking up earlier to a Zombie apocalypse and rushing to your site So they would not experience latency and can learn how to defend themselves in time 😂

If you are a developer, this should be music to your ears because you can now focus on what matters, that is building and improving the application for your users, and care less about these infrastructural settings which are now decoupled as a service on its own.

By the way, if you are just starting a new site, you can configure these routing policies later on when your site gets big. Compare this to migrating to AWS later when the production server is live and you cannot afford to break things during the migration 😱

On top of that, Route 53 is automatically protected from DDOS and other common attacks by AWS Shield. I do not know what other common attacks there are because as a developer, my focus is more on the features of the application I am developing. I am not trained in security and my interest lies in building applications that matter, so Route 53 will help me a lot in this area. The standard protection by AWS Shield are applied automatically and transparently to [your] Elastic Load Balancers, CloudFront distributions, and Route 53 resources at no extra cost.


I love this service because it takes away all the hassle in setting up a correct SSL configuration. It also removes the need for all the liaising between different vendors from where your website is hosted on, where your assets are stored on and where your SSL is bought from. All these are now on 1 platform, AWS, whose Route 53 and Certificate Manager services will save a lot of my development time, as well as provide me the features to prepare for the future should any of my projects gets big.

In addition, I am not charged for the SSL certificate, but only for using the AWS resources I am utilising. Fine by me as it is the usual pay how much you use model. This reduces the upfront costs required to do anything, which can get very discouraging.

PS. I have heard stories where AWS services actually cost a lot more when your site gets big. I have not had experience dealing with traffic in the millions so I cannot attest to whether this is true or false. Until I have a site that got there Do share with me your insights if you have had the experience. Much appreciated!