In this tutorial, you will learn how to install an SSL Certificate in AWS (Amazon Web Services). Prior to the installation, you need to generate a Certificate Signing Request (CSR) and send it to the CA for approval. If you haven’t completed this step, refer to the first part of the tutorial. If you already have the SSL Certificate files, you can jump straight into the SSL installation guide. The last section reveals where you can buy the best SSL certificate for your AWS server.
AWS offers more than 90 cloud-based services. This tutorial focuses on the following products:
- Amazon Certificate Manager (ACM)
- Elastic Load Balancing (ELB)
- Identity and Access Manager (IAM)
Table of Contents
- How to generate a CSR code in AWS?
- Prepare all the certificate files
- Install an SSL certificate in AWS ACM (Amazon Certificate Manager)
- Install an SSL Certificate in AWS IAM (Identity Access Manager)
- Install an SSL Certificate in ELB (Elastic Load Balancing)
- Test your SSL installation
- Where to buy an SSL Certificate for AWS?
How to generate a CSR code in AWS?
When applying for an SSL Certificate, one essential step is to submit the CSR code to your SSL provider also called Certificate Authority. The CSR contains encoded information about your domain name and company. You can’t obtain a signed SSL Certificate without providing this block of code.
You have two options:
- Use our CSR Generator to create the CSR automatically.
- Generate the CSR manually. Depending on the Amazon service you’re using, there are several ways to generate the CSR code. The best option is to create the CSR on the same server where your SSL Certificate will be running.Choose the tutorial for your platform:
If you have a Load Balancer, you can create your CSR code via the OpenSSL tool. To generate your CSR and private key run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout yoursite.key -out example.csr
Note: Replace the yoursite attribute with the domain name you want to secure.
After you generate the CSR code, you will receive a block of code. Please copy and save it into a text editor, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags. You will need this code during your SSL certificate activation.
Install an SSL Certificate in AWS
Follow the steps below to install an SSL certificate in AWS.
Prepare all the certificate files
Before starting the installation, make sure you have all the necessary certificate files. After the CA signs your SSL cert, it sends the installation files to your inbox.
Here’s what you need:
- Your primary certificate file issued for the domain name you want to secure
- CA bundle files of your Certificate Authority
- Your private key
Your SSL Certificate and the CA Bundle should be in the archived folder (zip folder) that he CA sent you.
As for the private key, you’ve generated it along with your CSR code. It resides in the same place where you created the CSR.
One last thing to take care of is the format of your SSL files. Since Amazon accepts only the PEM format, you must ensure that your SSL certificate and private key are in PEM. This particular format has a variety of extensions (.pem, .key, .cer, .cert, etc.).
If you’ve received your files in another format you will have to convert them to PEM. You can do this with the help of Open SSL commands.
Your files are already in PEM format? Great! Now, you can install your SSL certificate.
Install an SSL certificate in AWS ACM (Amazon Certificate Manager)
Run the command below in the command prompt to upload your cert to AMC.
aws acm import-certificate --certificate file://example.crt --private-key file://example.key --certificate-chain file://example-bundle.crt
Note: Replace the example attribute with the actual names of your files.
If the upload is successful, you will receive the certificate ARN (Amazon Resource Name). You will need this identifier to manage your SSL certificate. Here’s the complete list of ACM commands to further manage your cert.
Install an SSL Certificate in AWS IAM (Identity Access Manager)
Use the following command to upload the SSL Certificate to IAM:
aws iam upload-server-certificate --server-certificate-name certificate-name --certificate-body file://example.crt --certificate-chain file://example-bundle.crt --private-key file://example.key
Replace the values in bold as shown below:
- Certificate-name: enter a custom name that is easy to remember. It can by your domain name, or any other value associated with your SSL Certificate. The certificate name should contain upper and lower case alphanumeric characters. No spaces are allowed
- Certificate body file parameter: include the actual name of your primary SSL certificate file
- Certificate chain file parameter: specify the name of your CA bundle file
- Private key file parameter: type the name of your private key file.
If your upload is successful, the command prompt will generate a table with the server certificate metadata including its server path, name, ID, ARN (Amazon Resource Name) identifier, upload, and expiration date.
For further help on your SSL management and troubleshooting, refer to Amazon’s official guide.
Install an SSL Certificate in ELB (Elastic Load Balancing)
This section presumes that you’ve already uploaded an SSL Certificate either in IAM or ACM, and want to create or update HTTPS listeners on the existing classic and application load balancers.
You will need your certificate’s ARN (Amazon Resource Name) and the existing load balancer’s ARN to install the cert in ELB.
Classic Load Balancer
Use the command below to create an HTTP listener and assign the SSL Certificate to it:
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners “Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN”
The ARN value is the ARN of your SSL certificate.
If you already have an HTTPS listener and want just to update your cert, use the following command instead:
aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer --load-balancer-port 443 --ssl-certificate-id NewARN
The New ARN value is the ARN of the new SSL certificate you want to import.
Here you can find the full range of ELB commands.
Also, here is the official Amazon guide on HTTPS Listeners for Classic Load Balancer.
Application Load Balancer
Run the following command to create an HTTP listener on the application load balancer:
aws elbv2 create-listener --load-balancer-arn my-load-balancer-arn --protocol HTTPS --port 443 --certificates CertificateArn=my-certificate-arn --ssl-policy ELBSecurityPolicy-2015-05 --default-actions Type=forward,TargetGroupArn=my-target-group-arn
You can get the my-load-balancer-arn and my-target-group-arn attributes by running yet another program, this time:
aws elbv2 describe-target-groups
It will reveal the relevant info about existing load balancers and target groups in your AWS framework.
If you want to add a new SSL Certificate to the existing HTTPS listener, use the command below:
aws elbv2 modify-listener --listener-arn my-https-listener-arn --certificates CertificateArn=my-new-certificate-arn
You can find the my-https-listener-arn attribute via the following command:
aws elbv2 describe-listeners --load-balancer-arn my-load-balancer-arn
Click here to further manage your application load manager.
Test your SSL installation
Browse the HTTPS version of your domain and check if the SSL padlock is present. You can click on it and inspect your certificate’s details. To perform an extensive test, use these highly recommended SSL tools. They will scan your installation and create instant reports.
Where to buy an SSL Certificate for AWS?
When buying an SSL Certificate, you should take into consideration three essential aspects: validation type, price, and customer service. At SSL Dragon, we deliver them all! Our SSL certificates are issued by the best Certificate Authorities in the industry and are compatible with all the major of web platforms, including AWS. Whether you need a basic Domain Validation product or a premium Extended Validation certificate, you’ve come to the right place.
SSL Dragon’s prices are the lowest on the market, while our highly skilled support team is appreciated by the existing customers. If you don’t know what type of SSL certificate to pick for your site, use our SSL Wizard and Certificate Filter tools. They will help you find the perfect SSL product.
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10