How can I use the same SSL certificate for my Amazon EC2 instance and load balancer?

Last updated: 2020-04-15

I want to enable an SSL connection between my Amazon Elastic Compute Cloud (Amazon EC2) instance and load balancer.

Short Description

Amazon-issued certificates can’t be installed on an EC2 instance. To enable end-to-end encryption, you must use a third-party SSL certificate.

Resolution

Install the third-party certificate on an EC2 instance. Then, associate the third-party certificate with a load balancer by importing it into AWS Certificate Manager (ACM).

Apache web server

1.    Follow the instructions for Connecting to Your Linux Instance Using SSH.

2.    Install the Apache server mod_ssl module:

$ sudo yum install mod_ssl -y

3.    In the /etc directory, create a directory named certs. Then, copy the third-party certificate files into that directory. The third-party certificate file paths are as follows:

SSL Certificate - /etc/certs/your_domain.crt Private Key file - /etc/certs/private-key.key Certificate chain - /etc/certs/chain.crt

Note: This example uses the /etc directory. Use the directory of your choice.

4.    Assign root owner permissions to the third-party certificate files:

$ sudo chmod 600 /etc/certs/your_domain.crt

$ sudo chmod 600 /etc/certs/private-key.key

$ sudo chmod 600 /etc/certs/chain.crt

$ sudo chown root.root /etc/certs/your_domain.crt

$ sudo chown root.root /etc/certs/private-key.key

$ sudo chown root.root /etc/certs/chain.crt

5.    Add the third-party certificate files to the /etc/httpd/conf.d/ssl.conf file using your favorite text editor. The third-party certificate file paths are as follows:

SSL Certificate - /etc/certs/your_domain.crt Private Key file - /etc/certs/private-key.key Certificate chain - /etc/certs/chain.crt

6.    Save the .conf file and then restart the http service with this command:

$ sudo service httpd restart

The third-party certificate is installed successfully on the Apache web server running on an Amazon EC2 instance.

IIS web server (Windows Server 2012-R2)

1.    Follow the instructions to connect to your Windows instance using Remote Desktop Protocol (RDP).

2.    Choose Start, enter mmc, and choose OK.

3.    Choose file, Add/Remove Snap-ins, Certificates, Computer account, Next, Local computer, Finish, and then choose OK.

4.    In the MMC console, expand Certificates, choose Trusted Root Certificate Authorities, Certificates, Action, All tasks, import, Next, and then choose Browse.

5.    Choose the Root certificate, Open, Next, and then choose Finish.

6.    In the MMC console, expand Intermediate Certification Authorities, and then repeat steps 4-5 for the intermediate certificate.

7.    Close the MMC console window, and then choose No to discard the console settings.

8.    Open Server Manager, choose Tools, and then choose Internet Information Services (IIS) Manager.

9.    In Connections, choose the Windows server name that you want to install the certificates on.

10.    Open Server Certificates.

11.    In Actions, choose Import, choose certificate, and then choose Open.

12.    In Password, enter the certificate password, and then choose OK.

13.    In Connections, expand Sites, and then choose the website name that you want to install the certificates on.

14.    In Actions, choose Bindings, and then choose Add.

15.    In the Type drop-down menu, choose https.

16.    For IP address, enter the website IP address, or leave as All Unassigned.

17.    In SSL certificate, choose Select, choose the certificate, and then choose OK.

18.    In Manage Website, choose Restart.

After you restart the IIS web server, the third-party certificate is installed successfully on an Amazon EC2 instance.

After you install the certificate on the Amazon EC2 instance, follow the instructions for Importing Certificates into AWS Certificate Manager. Then, follow the instructions to associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer.