In this tutorial, you will learn how to install an SSL Certificate in AWS (Amazon Web Services). Prior to the installation, you need to generate a Certificate Signing Request (CSR) and send it to the CA for approval. If you haven’t completed this step, refer to the first part of the tutorial. If you already have the SSL Certificate files, you can jump straight into the SSL installation guide.
The third part of the article covers a brief history of AWS and its rise to success. Finally, the last section reveals where you can buy the best SSL certificate for your AWS server.
How to generate a CSR code in AWS?
When applying for an SSL Certificate, one essential step is to submit the CSR code to your SSL provider also called Certificate Authority. The CSR contains encoded information about your domain name and company. You can’t obtain a signed SSL Certificate without providing this block of code.
Here’s a typical example of how to fill in the CSR fields:
- Common Name: Here you need to specify the fully qualified domain name (FQDN) that you want to secure. For example, yoursite.com.
Note:If you intend to install a Wildcard SSL Certificate, add an asterisk in front of your domain name (e.g., *.yoursite.com).
- Organization: Provide the official name of your company. For example, GPI Holding LLC. If you have a Domain Validation (DV) SSL Certificate, put NA in this field. DV certificates authenticate the domain name only
- Organizational Unit: Include the unit in charge of your web security. This could be the IT or Web Administration department. For a DV certificate, enter NA instead
- Country: Enter the two-letter code of the country where your business is officially registered (e.g., US). Click here for more country codes
- City or Locality: Specify the city where your company is located
- State or Province: Enter the state where your company is registered
- Email: Provide a valid email address.
Depending on the Amazon service you’re using, there are several ways to generate the CSR code. The best option is to create the CSR on the same server where your SSL Certificate will be running.
- For a Windows instance with IIS web server, refer to this guide
- For an Apache server follow these instructions
- Here you can find the tutorial for a Nginx platform
- If you use MAC OS servers, use this guide
- If you have a Load Balancer, you can create your CSR code via the OpenSSL tool. To generate your CSR and private key run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout yoursite.key -out example.csr
Note: Replace the yoursite attribute with the domain name you want to secure.
After you generate the CSR code, you will receive a block of code. Please copy and save it into a text editor, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags. You will need this code during your SSL certificate activation.
If for some reason, you aren’t able to generate the CSR via the above options, you can use or CSR Generator tool. We’ll also back up your private key and send it to your inbox.
Install an SSL Certificate in AWS
AWS offers more than 90 cloud-based services. This tutorial focuses on the following products:
- Amazon Certificate Manager (ACM)
- Elastic Load Balancing (ELB)
- Identity and Access Manager (IAM)
Before starting the installation, make sure you have all the necessary certificate files. After the CA signs your SSL cert, it sends the installation files to your inbox. Here’s what you need:
- Your primary certificate file issued for the domain name you want to secure
- CA bundle files of your Certificate Authority
- Your private key
Your SSL Certificate and the CA Bundle should be in the archived folder (zip folder) that he CA sent you.
As for the private key, you’ve generated it along with your CSR code. It resides in the same place where you created the CSR.
One last thing to take care of is the format of your SSL files. Since Amazon accepts only the PEM format, you must ensure that your SSL certificate and private key are in PEM. This particular format has a variety of extensions (.pem, .key, .cer, .cert, etc.).
If you’ve received your files in another format you will have to convert them to PEM. You can do this with the help of Open SSL commands.
Your files are already in PEM format? Great! Now, you can install your SSL certificate.
Install an SSL certificate in AWS AMC (Amazon Certificate Manager)
Run the command below in the command prompt to upload your cert to AMC.
aws acm import-certificate --certificate file://example.crt --private-key file://example.key --certificate-chain file://example-bundle.crt
Note: Replace the example attribute with the actual names of your files.
If the upload is successful, you will receive the certificate ARN (Amazon Resource Name). You will need this identifier to manage your SSL certificate. Here’s the complete list of ACM commands to further manage your cert.
Install an SSL Certificate in AWS IAM (Identity Access Manager)
Use the following command to upload the SSL Certificate to IAM:
aws iam upload-server-certificate --server-certificate-name certificate-name --certificate-body file://example.crt --certificate-chain file://example-bundle.crt --private-key file://example.key
Replace the values in bold as shown below:
- Certificate-name: enter a custom name that is easy to remember. It can by your domain name, or any other value associated with your SSL Certificate. The certificate name should contain upper and lower case alphanumeric characters. No spaces are allowed
- Certificate body file parameter: include the actual name of your primary SSL certificate file
- Certificate chain file parameter: specify the name of your CA bundle file
- Private key file parameter: type the name of your private key file.
If your upload is successful, the command prompt will generate a table with the server certificate metadata including its server path, name, ID, ARN (Amazon Resource Name) identifier, upload, and expiration date.
For further help on your SSL management and troubleshooting, refer to Amazon’s official guide.
Install an SSL Certificate in ELB (Elastic Load Balancing)
This section presumes that you’ve already uploaded an SSL Certificate either in IAM or ACM, and want to create or update HTTPS listeners on the existing classic and application load balancers.
You will need your certificate’s ARN (Amazon Resource Name) and the existing load balancer’s ARN to install the cert in ELB.
Classic Load Balancer
Use the command below to create an HTTP listener and assign the SSL Certificate to it:
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners “Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN”
The ARN value is the ARN of your SSL certificate.
If you already have an HTTPS listener and want just to update your cert, use the following command instead:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer --load-balancer-port 443 --ssl-certificate-id NewARN
The New ARN value is the ARN of the new SSL certificate you want to import.
You can find the full range of ELB commands here.
The official Amazon guide on HTTPS Listeners for Classic Load Balancer is available here.
Application Load Balancer
Run the following command to create an HTTP listener on the application load balancer:
aws elbv2 create-listener --load-balancer-arn my-load-balancer-arn --protocol HTTPS --port 443 --certificates CertificateArn=my-certificate-arn --ssl-policy ELBSecurityPolicy-2015-05 --default-actions Type=forward,TargetGroupArn=my-target-group-arn
You can get the my-load-balancer-arn and my-target-group-arn attributes by running yet another program, this time:
aws elbv2 describe-target-groups.
It will reveal the relevant info about existing load balancers and target groups in your AWS framework.
If you want to add a new SSL Certificate to the existing HTTPS listener, use the command below:
aws elbv2 modify-listener --listener-arn my-https-listener-arn --certificates CertificateArn=my-new-certificate-arn
You can find the my-https-listener-arn attribute via the following command:
aws elbv2 describe-listeners --load-balancer-arn my-load-balancer-arn
To further manage your application load manager, click here.
Test your SSL installation
Browse the HTTPS version of your domain and check if the SSL padlock is present. You can click on it and inspect your certificate’s details. To perform an extensive test, use these highly recommended SSL tools. They will scan your installation and create instant reports.
Amazon Web Services (AWS) is a subsidiary of Amazon that offers on-demand cloud computing platforms on a paid subscriptions basis. First launched in 2002, the platform provided only a few disparate tools and services. In 2006, it officially re-launched with a wider suite of offerings including Amazon S3 cloud storage, SQS, and EC2.
Today, AWS comprises more than 90 services. Individuals, companies, and governments use AWS for networking, storage, computing, analytics, deployment, Internet of Things, etc.
With over a million active customers every month in 190 countries, AWS is the market leader in cloud computing, surpassing Microsoft, Google and IBM.
Where to buy an SSL Certificate for AWS?
When buying an SSL Certificate, you should take into consideration three essential aspects: validation type, price, and customer service. At SSL Dragon, we deliver them all! Our SSL certificates are issued by the best Certificate Authorities in the industry and are compatible with all the major of web platforms, including AWS. Whether you need a basic Domain Validation product or a premium Extended Validation certificate, you’ve come to the right place. Here’s our full list of SSL certificate types:
- Domain Validation
- Business Validation
- Extended Validation
- Code Signing
- IP Address
SSL Dragon’s prices are the lowest on the market, while our highly skilled support team is appreciated by the existing customers. If you don’t know what type of SSL certificate to pick for your site, use our SSL Wizard and Certificate Filter tools. They will help you find the perfect SSL product.
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.