How to Install a SSL Certificate on AWS EC2 Instance?

Are you concerned about the security of your data while conducting business on Amazon? Installing an SSL certificate on AWS (Amazon Web Services) EC2 Instance would be a great move. Many businesses are implementing it, considering the benefits it brings.

An SSL certificate is the highest online security that can not only protect your website data but can affirm your website identity by providing authentication, improve search engine rankings, and build customer trust for the website.

After obtaining an SSL certificate from a certificate authority or best SSL certificate provider, read further to learn how to install SSL certificate on AWS EC2 Instance. The installation process will take only around 10 minutes.

What you will need for the installation of a certificate?

• Your Server Certificate - Ensure that you have your server certificate, the one you got from your CA via email. Can’t find it? Visit your Account Dashboard and click on your order to download it.
• Intermediate Certificates - See that your intermediate certificates are intact. The files are sometimes named as CA Bundle. These files permit the devices that connect to your server to identify the Certificate Authority.
• Private Key - Check your private key. Did you generate your CSR from a free generator tool or on the server? You will find the private key on your server. If you are using platforms such as Microsoft IIS, at times, you won’t see your private key immediately, but the server will eventually track it.

Once you have all these certificates and files, you are good to go. You can now follow the instructions for installing an SSL certificate on your AWS EC2 Instance.

Steps to install SSL on Amazon Web Services (AWS) EC2 Instance

1.   Convert both your server certificate and the intermediate(s) to PEM format

• You will be required to convert all your certificates to PEM format to be able to install an SSL cert on AWS EC2 Instance.
• To convert the certificate in .crt format to PEM format (we use PKCS12), you can use an online conversion tool or enter the following command:

• To convert your intermediates, which are currently in a .CER file to PEM format, you can enter the following command (please note that it is an OpenSSL command)

2.   Now, break out multiple PEM files from the bundle

• Now you need more than one PEM files, in fact, multiple of them. So, the next step would be to break them from the bundle to extract multiple PEM files. You have two ways to do that - either do it manually or use an application like OpenSSL.
• Again, note that you can’t skip this step as you will require several PEM files to carry out the following step successfully.

3.   Upload the certificate via command

• To upload the certificates to your AWS account, enter the following command:

• Now, do you want to see all the certificates that are enclosed within the IAM profile? If yes, then run this command:

4.   Configure an HTTPS listener

Note: You can configure an HTTPS listener using AWS CLI or AWS console.

Configure HTTPS Listener using AWS CLI:

• First, get the Amazon Resource Name (ARN) of the SSL certificate. For instance:

ACM

arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

IAM

arn:aws:iam::123456789012:server-certificate/my-server-certificate


• Next, add a listener to your load balancer. It should allow HTTPS requests on port 443 and send the requests to the instances on port 80 using HTTP. To do that, you can follow the command:

aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN

• In case you wish to set up back-end instance authentication, follow this command:

aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTPS,InstancePort=443,SSLCertificateId=ARN

• It will add a listener that accepts HTTPS requests on port 443 and sends the requests to the instances on port 443 using HTTPS.

• If you wish to view the updated details of your load balancer, you can follow command:

aws elb describe-load-balancers --load-balancer-name my-load-balancer

Configure HTTPS Listener Using the Console:

1. First, open the Amazon EC2 console.
2. Next, head to navigation pane and under Load Balancing, select Load balancers.
3. Select only load balancer from the main pane on which you want to upload the certificate.
4. Now, click on Listeners tab and select
5. Choose Add option on Edit listeners
6. Choose HTTPS (secure HTTP) for load balancer protocol and it will update Load Balancer port, instance port and instance protocol.
7. Now, it is time to select cipher so, choose Make sure predefined security policy is selected and set to as per the latest policy like ELBSecurityPolicy-2016-08.
8. If you have already an SSL certificate on load balancer then, you can skip this step.
   • For SSL certificate, select Change and process any method described as below:
     • If you have imported a certificate using AWS certificate manager, then select Choose an existing certificate from AWS Certificate Manager (ACM), choose the certificate from Certificate, then choose Save.
     • If you have imported a certificate using IAM (Identity and Access Management) then select Choose an existing certificate from AWS Identity and Access Management (IAM), choose the certificate from Certificate, and then choose Save.
     • In case, ACM is not supported, then choose Upload a new SSL Certificate to AWS Identity and Access Management (IAM) then, you need to type a certificate name. In Private key column, copy & paste private key content. In Public Key Certificate, copy & paste public key certificate file’s content. Under Certificate Chain, copy & paste the certificate chain file’s code.
9. Finally, click on Save to add listeners that you have just configured.
10. Congratulations, you have successfully implemented SSL on Amazon Web Services (AWS) EC2 Instance.
11. Note that you may be required to restart your server to see the effect of the changes made.

Troubleshooting Tips:

Missing certificate chain

In case the intermediate certificates have not been installed properly, the browser can’t trace back to the root CA certificate issuer. Your browser will show security warnings that will alert site visitors and customers. Only when you have a self-signed certificate, the certificate chain is not required.

From the terminal, run the following command to check if the certificates have been installed correctly:

In case the command returns code: 21, your certificate is not verified due to missing certificate chain. You can also use third-party sites to confirm whether the SSL certificates were installed correctly on your server or not.

Having an SSL certificate has become a priority, especially for e-commerce web owners. Not only does it provide top security but also determines your brand’s reputation and gain consumer trust.

Hopefully, you will be able to install an SSL cert on AWS EC2 Instance without any difficulty by following this simple guide. Don’t forget to see the checklist as well and have all the required certificates and files before you start the installation process.

More and more online browsers are becoming concerned about their online security. To enable safe browsing and provide peace of mind to your visitors, make sure to install an SSL certificate today - it is worth the investment.