Amazon Web Service (AWS) is one of the leading cloud service providers worldwide. It comes with pre-built security features like Identity and Access Management (IAM) and support for encryptions. However, despite all these security measures, its data protection has not been ironclad.
The 2.3 TBps DDOS attack on the AWS server in 2020 indicates how to secure your data on the cloud using security measures. One such security measure is to use an SSL certificate. It helps in securing the communication between the server and the browser.
We will discuss a comprehensive guide on installing an SSL certificate on AWS. So, without wasting much time, let us start by understanding the prerequisites to the installation process.
What is Checklist Required before Installing an SSL Certificate in AWS?
If you want to install an SSL certificate on AWS, there are a specific set of requirements. For example, Amazon recommends the usage of SSL certificates issued by the AWS certificate manager (ACM).
However, suppose you do not have a certificate issued by the ACM. In that case, you can choose one on the Mozilla included certificate authority (CA) certificate list because CloudFront supports such certificates.
To get an SSL certificate from leading CAs like Comodo SSL certificate or DigiCert SSL certificate, you must submit a Certificate Signing Request (CSR) with all your organization’s details. CA will verify the details and issue an SSL certificate bundle.
Here are the CSR generation instructions for your SSL certificate issuance process.
How to generate a CSR code on AWS?
CSR generation instructions for AWS are simple as you have two main options,
- Use a CSR generator tool like OpenSSL CSR tool and others
- Generate CSR on the same server where you want to install the SSL certificate.
You can use different methods for CSR generation, depending on the server. For example, CSR generation instructions for Windows servers will differ from Apache or Nginx servers.
However, using a load balancer, you can generate CSR using OpenSSL.
CSR generation instructions for the OpenSSL tool are as follows,
- Use the following command for CSR and private key generation
Openssl req -new -newkey rsa:2048 -nodes -keyout mysite.key -out the example.csr
- Now replace the mysite by your domain name
- Once you generate the CSR, check whether the file begins and ends with —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags.
You can download the CA bundle and save files locally on your machine. These files must include
- Certificate file in .pem format
- List all the intermediate certificates in the certificate chain.
- Private key generated with the CSR, which needs to be in PEM format
What are the steps to Install SSL Certificate on Amazon Web Services?
Once you have the certificate files, the installation process begins. However, it is essential to note that installing an SSL certificate on AWS differs based on the service you are using.
Upload Certificate Files on IAM
You can upload the CA bundle to the AWS Identity Access Management (IAM), including the certificate chain and the private key. Here is the command that you can use to upload the certificate on IAM.
aws iam upload-server-certificate –server-certificate-name myServerCertificate –certificate-body file://public_key_cert_file.pem –private-key file://my_private_key.pem –certificate-chain file://my_certificate_chain_file.pem
SSL certificate is in pem format. Once the file upload is complete, it will be available as “myServerCertificate.” In addition, the certificate chain is available in “themy_certificate_chain_pem file.” Once uploaded, you can configure the SSL for activation, and it starts running.
Update Certificate for HTTPS Load Balancer
You can update the default certificate for your listener by,
- Open the Amazon EC2 console.
- Go to the navigation pane & choose “Load Balancers.”
- Select the listener
- Select the text in “Protocol:Port” from the listener’s tab
- Now on the certificate tab, choose “Change default.”
- Select a certificate for ACM and IAM certificate
- Save as default
Steps to Install SSL Certificate on AWS
The process of installation begins by setting up TLS on Amazon Linux. First, connect your instance and confirm Apache running by using the following command,
[ec2-user ~]$ sudo systemctl is-enabled httpd
If the return value is not enabled, restart the Apache server and set it up again.
[ec2-user ~]$ sudo systemctl start httpd && sudo systemctl enable httpd
Add TLS support by installing the Apache module using the following command,
[ec2-user ~]$ sudo yum install -y mod_ssl
Once you execute the code, your instance will have files such as,
“/etc/httpd/conf.d/ssl.conf” is a configuration file with directives guiding Apache to find encryption keys and certificates.
/etc/pki/tls/certs/mydomain-cert is the script to generate a certificate with an X.509 format with a private key for your host. This certificate helps in testing Apache internally.
Next, run the following command to ensure SSL/TLS is appropriately configured.
Restart the server, and your Apache server will support HTTPS over port 443. Test it by typing the URL in the address bar with https://.
Cybersecurity is essential when storing your data on cloud infrastructure like AWS. Installing an SSL certificate on AWS can help secure data by keeping it anonymous from hackers. We have discussed different methods of installing the SSL certificate based on your AWS service. Therefore, which method you use will vary based on your project requirements.