Configure SSL/TLS on Amazon Web Services EC2
Securing your website with an SSL certificate is crucial for encrypting communication, enhancing security, and building trust with customers. For websites hosted on Amazon Web Services (AWS), you can easily install SSL certificates on your EC2 instances to reap these benefits.
In this comprehensive guide, we will walk you through the entire process of installing an SSL certificate on AWS step-by-step.
Prerequisites for Installing SSL on AWS
Before starting with the SSL installation process for AWS EC2, you need to fulfill these prerequisites:
- Have an active AWS account and login credentials ready.
- Create an EC2 instance on AWS and configure settings if not done already.
- Purchase the required SSL certificate from a trusted Certificate Authority (CA).
- Have the SSL certificate files downloaded on your computer.
- Use Elastic Load Balancer and set up listeners.
- Ensure the EC2 instance has a public DNS name enabled.
- Certificate – Has your domain name, company details, issuer CA details etc.
- Private key – Unlocks and decrypts the certificate encryption.
- Certificate chain / Intermediate certificate – Used by the CA to sign your SSL certificate and establish trust.
A Step-by-Step Guide to Install SSL Certificate on Amazon Web Services
Installing an SSL certificate on Amazon Web Services (AWS EC2) involves a few key steps:
Step 1 – Generate a Certificate Signing Request (CSR)
The first step is to generate a Certificate Signing Request or CSR. This is required by the Certificate Authority to create your SSL certificate.
The CSR contains information about your company and domain name for which you want the SSL certificate. It also creates a private and public key pair for encrypting and decrypting the data.
Follow these steps to generate a CSR:
Using OpenSSL on Linux
- Access your EC2 Linux instance using SSH.
- Install OpenSSL if not already available by running:
sudo yum install openssl
- Next, create your private key file with the following OpenSSL command:
openssl genrsa -out www.yourdomain.com.key 2048
- This generates a 2048-bit private key saved as www.yourdomain.com.key
- Now generate the CSR using the key file:
openssl req -new -key www.yourdomain.com.key -out www.yourdomain.com.csr
- Enter relevant details when prompted like company name, location, domain name etc.
- Your CSR file is now ready and saved as www.yourdomain.com.csr
Using OpenSSL on Windows
Follow the same steps as above after installing OpenSSL on your Windows machine. Popular precompiled binary versions are available at slproweb.com/products/Win32OpenSSL.html.
Using AWS CLI
Alternatively, you can use the AWS CLI to generate CSR for your domain.
- Login to your EC2 instance through SSH.
- Update awscli:
sudo pip install --upgrade awscli
- Generate private key:
aws acm request-certificate --domain-name www.yourdomain.com --key-algorithm RSA-2048 --query CertificateArn --output text
- This returns the ARN (Amazon Resource Name) of the generated private key.
- Use this ARN to export CSR:
aws acm get-certificate --certificate-arn YOUR-ARN --query Certificate.CertificateRequest --output text > www.yourdomain.com.csr
Step 2 – Purchase and Download SSL Certificate
Once you have the CSR generated, it needs to be submitted to the Certificate Authority to purchase the SSL certificate. Here are the steps:
- Choose a trusted CA provider like Comodo, DigiCert, Thawte etc.
- Submit the CSR during the purchase process and provide your domain name and company details.
- Select the type of SSL certificate you need. Single domain, wildcard, multi-domain, EV certificates are available.
- Verify your business and domain ownership records as required by CA.
- The Certificate Authority will run checks and issue the SSL certificate mostly within 1-2 days.
- Download the ZIP archive containing the SSL certificate files:
- Certificate – Your domain name certificate file
- Certificate chain – Intermediate and root certificates
- Private key – PEM or KEY format key file
Step 3 – Convert Certificate and Key to PEM Format
To use the SSL certificate files on AWS, they need to be in PEM encoded format. The certificate is usually in this format by default.
However, the private key may be in other formats like .key, .pfx, .p12 etc. We need to convert it to PEM format.
Here are the options:
Using OpenSSL
- To convert a .key file to .pem format, use the following openssl command:
openssl rsa -in yourdomain.key -out yourdomain.pem
- For converting .pfx file to .pem format, use this command:
openssl pkcs12 -in yourdomain.pfx -out yourdomain.pem -nodes
- Enter the export password when prompted.
- You now have both certificate and private key in .pem format.
Using SSL Converter Tools
There are many free online SSL converters available that make conversion easy:
- SSLInsights Converter – Supports converting .pfx, .p12, .pem, .der, .cer, .crt, .key formats.
- SSLInsights Converter – Has options for .pem, .der, .pfx and .p7b formats.
We now have the PEM-encoded certificate and private key ready. Let’s move on to installing it on AWS.
Step 4 – Install the SSL Certificate on AWS EC2 Instance
With all the prerequisites and converted SSL files ready, we can now install the SSL certificate on the AWS EC2 instance.
Follow these steps to complete the installation using the AWS Management Console:
- Login to your AWS account and go to the EC2 dashboard.
- Click on ‘Load Balancers’ in the left sidebar and select your load balancer.
- Go to the ‘Listeners‘ tab and click on the existing HTTP listener.
- Click ‘Edit’ and change the protocol from HTTP to HTTPS.
- Scroll down and select ‘Upload a new certificate to AWS Identity and Access Management (IAM)‘
- Give a friendly name to your certificate and click ‘Upload’.
- Copy-paste the contents of your PEM-encoded certificate and private key in the respective fields.
- Click ‘Add’ to upload and save the certificate.
- Click on your newly added certificate and select ‘Assign to load balancer’.
- Choose the relevant load balancer and add the certificate.
- Click on ‘Close’ and wait for 5-10 minutes.
Step 5 – Restart Application Servers
The SSL certificate installation on the AWS load balancer encrypts connections at the transport layer. However, your actual website and applications still need to be configured to use HTTPS connections.
To complete this final step:
- Connect to your EC2 instance using SSH.
- Restart the application servers running your website and apps. For example:
sudo systemctl restart httpd #for Apache web server sudo systemctl restart nginx #for Nginx web server
- Some applications like NodeJS may need their code updated to reflect the HTTPS port like:
http.createServer(app).listen(443);
- For Java web apps running on Tomcat, add a HTTPS connector tag:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"/>
- Restart individual app servers like Tomcat after config changes.
sudo systemctl restart tomcat
- Repeat Steps 2-5 for all instances part of an auto scaling group.
Step 6 – Test the SSL Certificate Installation
After completing all the steps, it’s time to test your shiny new SSL certificate installed on AWS!
Follow these simple checks:
1. Browse website on HTTPS
Open your website URL in the browser using the HTTPS prefix:
https://www.yourdomain.com
If it loads without warning, then your basic SSL connectivity is working fine.
2. Verify padlock icon
Look for the padlock icon before your domain name on the browser address bar. Hover over it and inspect the certificate details.
The issuer name and domain name should match the details provided during CSR generation.
3. Use SSL testing tools
For comprehensive reports, use online SSL testing tools like the ones below:
- SSL Labs Server Test
- ImmuniWeb SSLScan
- DigiCert SSL Checker
Fix any flagged issues and retest until you get a perfect A+ score. Your SSL certificate is now successfully installed and fully functional on AWS!
How to Renew Install SSL on Amazon Web Services (AWS)
Like all SSL certificates, the ones installed on AWS also have an expiration date set by the Certificate Authority, usually 1-3 years.
Renewing it in time is crucial to maintain encryption and avoid browser errors about expired certificates.
Follow these best practices for renewal:
- Set calendar reminders for expiry date to plan renewals.
- Generate a fresh CSR and purchase a renewed certificate at least a month in advance.
- Upload and assign the renewed certificate to your load balancer.
- Restart application servers to pick up new certificate.
- Test the installation thoroughly.
Troubleshooting Common SSL Issues on AWS
Sometimes you may run into problems after installing SSL certificates on AWS EC2 instances.
Here are some common issues and fixes:
Browser shows site untrusted warning
This means the intermediate certificate is missing from your certificate chain. Download the intermediates from the CA and combine them into your PEM-encoded certificate file. Re-upload it to AWS.
Certificate name mismatch error
You are accessing the site using IP address or non-standard domain name. Use the exact domain name provided in the SSL certificate to avoid mismatch errors.
Site inaccessible on HTTPS
Double check that application servers are running and restart them if needed. Also inspect security group rules and NACLs for allowing inbound HTTPS traffic.
SSL protocol errors
Older protocols like SSL 3.0/TLS 1.0 are deprecated due to vulnerabilities. Update your application code and AWS load balancer configurations to use modern TLS 1.2 and above.
Unable to resolve ACM specific endpoints
Your VPC DNS resolution is broken. Configure VPC settings to work with AmazonProvidedDNS.
403 Forbidden error on browser
The application is not correctly serving content over HTTPS. Update it to listen on the standard HTTPS port 443.
Getting stuck while troubleshooting? Reach out to AWS or your SSL provider for technical assistance.
Alternative Options for AWS SSL Certificates
Although we have covered how to manually install SSL certificates on EC2 instances, AWS offers some great native options that can simplify the process:
AWS Certificate Manager (ACM)
ACM is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services.
It provides low-cost certificates and handles renewal for you. Integrates natively with many AWS offerings like CloudFront, ELB, API Gateway etc.
Amazon CloudFront
CloudFront CDN can be configured to use SSL and integrate with ACM certificates.
It terminates SSL at the CloudFront edge locations to offload work from EC2 origins.
Elastic Load Balancing (ELB)
ELB load balancers allow SSL certificates to be directly attached for encryption.
HTTPS listeners can then be created to service SSL traffic.
API Gateway
You can use API Gateway custom domains along with imported ACM SSL certificates for securing your REST APIs.
Check out AWS SSL options documentation for more details on using these native features.
Conclusion on Install SSL on Amazon Web Services
Installing SSL certificates on AWS EC2 instances is vital for security and compliance. This step-by-step guide covered various options like using OpenSSL and AWS CLI for generating CSR, converting formats, uploading certificates to load balancer, restarting application servers, troubleshooting issues, alternatives like ACM, and more.
We discussed the entire end-to-end life cycle from procuring certificates to installing them securely on AWS infrastructure. Armed with these details, you can now easily deploy SSL encryption for your websites and applications hosted on Amazon Web Services.
FAQs on Install SSL on Amazon Web Services
Can I use a free SSL certificate on AWS?
Yes, you can use free SSL certificates like Let’s Encrypt on AWS, but they have some limitations:
- Need to be renewed frequently every 90 days.
- Limited browser/device compatibility.
- No liability or support from CA.
What is an SSL wildcard certificate?
A wildcard SSL certificate secures the root domain along with unlimited subdomains. For example, *.yourdomain.com will encrypt yourdomain.com, login.yourdomain.com, support.yourdomain.com etc. It is cost-effective for securing multiple subdomains.
Can I install multiple SSL certificates on AWS?
Yes, AWS supports attaching multiple SSL certificates to Elastic Load Balancers and CloudFront distributions. You can use different certificates for your root domain and wildcard subdomains.
Does SSL work with an EC2 instance behind a load balancer?
Yes, SSL certificates are installed on the load balancer which handles the encryption and forwards traffic securely to the EC2 instances behind it. The EC2 instances don’t need the SSL certs installed separately.
What are the AWS costs for SSL certificates?
If using ACM or ELB, SSL certificates are free on AWS, but you pay for the load balancer usage. For manual installation, the cost is only for the SSL certificate purchase from CAs.
Can I use an existing SSL certificate on AWS?
Yes, you can use your existing SSL certificate purchased externally by converting to PEM format and uploading to ACM or ELB. However, you may need to re-key the certificate if the private key wasn’t allowed to be exported.
Does AWS handle SSL certificate renewal?
If using ACM or ELB, certificate renewal is automatic. For manual installation, you need to renew externally and re-upload the renewed certificate.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.