Regardless of whether you’re searching for database storage, computer power, content delivery, or any other functionalities, Amazon Web Services (AWS) has the cloud-computing services to assist you with building advanced applications with expanded scalability, reliability and flexibility.
If you have more than one server or device, you must install the SSL/TLS certificate on each server or device you need to secure. If you haven’t generated your certificate and completed the validation process yet, follow our guide.
This guide will carry you through the following:
- CSR GENERATION on amazon EC2
- SSL Installation on EC2
- CSR Generation on Linux Based Amazon Instances
- Certificate installation on Linux based amazon Instances
1.CSR GENERATION on amazon EC2
- Tool used – openssl
- Command – openssl req -out mydomain.csr -new -newkey rsa:2048 -nodes -keyout mydomain.key
- The above command will prompt you to enter the following details:
- Common Name: The FQDN (fully-qualified domain name) you want to secure with the certificate. Use *.domainname (asterisk dot domain name) for wildcard certificates.
- Organization: The full legal name of your organization.
- Organization Unit (OU): Your department such as ‘Information Technology’
- City or Locality: The locality or city where your organization is legally incorporated. Don’t use abbreviation
- State or Province: The state or province where your organization is legally incorporated. Don’t use abbreviation
- Country: The official two-letter country code (i.e. US, CH) where your organization is legally incorporated.
- After filling the details, openSSL will create two files in the location where you are running the command. (The first file is a CSR file, and the second one is a key file)
- Now, Copy the CSR file from the location and forward it to your CA Authority.
- Proceed with the SSL installation steps once the Certificate authority issues your valid SSL certificate.
2. SSL Installation on EC2
Ensure the below checklist that is needed before we proceed to the installation process:
- Server certificate: This is the SSL certificate that was shared by the CA, possibly via your registered email.
- Intermediate certificates: These were, in all probability, sent to you along with your server cert when and if you received the certificate in a zip folder. If not, you can always download the CA Bundle for your certificate.
- Private Key: This key should be under your charge or on the server (where you generated the certificate signing request).
Once you have these files, they must be PEM encoded before they can be uploaded onto your AWS account.
How to Convert Your AWS SSL Certificate to PEM-Encoded Format for EC2?
The certificates received from the CA with a “.crt” extension can be converted to PEM format (if they come with any other encoding formats like DER). This process can be done either by using an online conversion tool or by using open SSL Library.
Example PEM-encoded certificate:
—–BEGIN CERTIFICATE—–
Base64-encoded certificate
—–END CERTIFICATE—–
Note: The OpenSSL library can also be used to convert certificate files from other formats such as pkcs#7, pfx, etc.
⮚ To do this, run the following command to convert the server certificate format to PEM format:
Openssl x509 -inform DER -in my-certificate.crt -out my_certificate.pem -outform PEM
⮚ Execute the command below to convert the certificate chain to PEM format:
Openssl x509 -in my-certificate-chain.crt -out my_certificate-chain.pem -outform PEM
Upload the Certificate to AWS Using CLI:
For those of you comfortable using the command line interface (CLI), run the command below, modifying it as required with your certificate files.
Enter the following command in your AWS account to install your SSL certificate on the AWS EC2 instance:
aws iam upload-server-certificate –server-certificate-name myServerCertificate –certificate-body file://public_key_cert_file.pem –private-key file://my_private_key.pem –certificate-chain file://my_certificate_chain_file.pem
Alternatively, you can follow the 5 simple instructions in the next section to upload your certificates if you want to avoid using the command line interface.
5 Simple Steps to Install SSL Certificate on AWS EC2 Instance
Follow the steps below to upload the certificate to your AWS account:
-
- Open the AWS Management Console and log in.
- Click on Services > Compute > EC2 > Load Balancers
to select your load balancer from the navigation pane.
- On the Listeners tab, click on Edit and then select Add and for the protocol choose HTTPS.
- Under the SSL certificate option, click on Change and from the Certificate type list choose the Upload a new SSL certificate to AWS Identity and Access Management (IAM) option.
- Enter the certificate name, paste the content of the respective certificate files (ensure that they are PEM encoded), and click on Save.
Run the following command from the terminal to establish if the certificates have been installed correctly:
Openssl s_client -showcerts -connect enter_domain.com:port_number.
Note: For Organization Validation (OV) or Extended Validation (EV) types of SSLs, make sure to use the correct legal company name. If it’s a reissued CSR, ensure the company details are the same as the ones used previously.
3. CSR Generation on Linux Based Amazon Instances:
Tool used: OpenSSL
Command: sudo openssl req -new -newkey rsa: 2048 -nodes -keyout private.key -out csr.txt
Run the command cat csr.txt to open the CSR file generated.
4. Certificate installation on Linux based amazon Instances:
- Get the certificate (server, intermediate and root) from CA authority.
- Place the new CA-signed certificate and any intermediate certificates in the /etc/pki/tls/ certs directory.
- Edit /etc/httpd/conf.d/ssl.conf to reflect your new certificate and key files.
- Provide the path and file name of the CA-signed host certificate in Apache’s SSLCertificateFile directive:
SSLCertificateFile /etc/pki/tls/certs/custom.crt - If you received an intermediate certificate file (intermediate.crt in this example), provide its path and file name using Apache’s SSLCACertificateFile directive:
SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt - Provide the path and file name of the Apache’s SSLCertificateKeyFile directive:
SSLCertificateKeyFile /etc/pki/tls/private/custom.key - Save /etc/httpd/conf.d/ssl.conf and restart Apache:
sudo service httpd restart
We hope this guide helped you with this easy process. If you are unable to use these instructions, Acmetek recommends that you contact either the vendor of your software or the hosting organization that supports it.