How do I install an SSL certificate for my website on my EC2 Linux Ubuntu instance?

3 minute read
2

I want to install a self-signed SSL certificate on my Amazon Elastic Compute Cloud (Amazon EC2) Ubuntu instance that hosts an Apache server.

Resolution

Open ports 80 and 443

Make sure that the instance's security groups allow traffic on ports 80 and 443.

Install Apache and OpenSSL web server

Run the following command to install Apache and OpenSSL on your server:

$ sudo apt-get install apache2 openssl -y

For information on configuring SSL/TLS on Amazon Linux, see Configure SSL/TLS.

Generate a self-signed certificate

  1. Public and private keys are used by SSL. Run the following command to create a private key for your domain and a certificate signing request (CSR):

    $ sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr
  2. Run the following command to generate an SSL certificate:

    $ sudo openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365

The key (private.key) and certificate (certificate.crt) files are now ready for use with the Apache web server.

Configure Apache to use SSL

Configure Apache to use the certificate that you created earlier in Generate a self-signed certificate.

  1. Run the following command to open the default Apache SSL configuration file:

    $ sudo vi /etc/apache2/sites-available/default-ssl.conf
  2. Use the following paths to define the location of your SSL certificate:
    SSLCertificateFile: /etc/ssl/private/certificate.crt**
    SSLCertificateKeyFile:** /etc/ssl/private/private.key

  3. Save and close the file, and then run the following command to activate the virtual host file:

    $ sudo a2ensite default-ssl.conf
  4. Run the following command to open the default virtual host configuration file for Apache:

    $ sudo vi /etc/apache2/sites-available/000-default.conf
  5. Run the following command to add a redirect to your domain name. The redirect forwards all traffic to the site's SSL version:
    Note: "Server-IP" is the IP address of your server.

    Redirect "/" https://Server-IP
  6. Run the following commands to turn on the SSL and header modules:

    $ sudo a2enmod ssl
    $ sudo a2enmod headers
  7. Run the following command to reload the Apache service and apply the modifications:

    $ sudo systemctl reload apache2

Verify your SSL server

To verify your SSL server, follow these steps:

  1. Launch your web browser, and then navigate to https://Server-IP. The web browser redirects you to a warning page. This is expected because your certificate isn't signed by a trusted certificate authority.
  2. Select Proceed to Host. The Apache home page opens. A lock with the words "not secure" appears in the browser address bar. This indicates that the certificate isn't validated, but is encrypting your connection.

For information on configuring SSL/TLS on Red Hat or Community Enterprise Linux, see Setting up a webserver to use HTTPS on the Red Hat website.

AWS OFFICIAL
AWS OFFICIALUpdated 19 days ago
4 Comments

WARNING! Read Step 5 before starting this. Following these instructions will NOT help you get https connections to your EC2 instance that users will be happy with. Use the Amazon Certificate Manager instead, and when you do, and go through the steps to setup a load balancer, you will also need to know to check the "Alias" box in Route 53 for setting up the correct "A" record to point to the load balancer, rather than to the public IP of your EC2 Instance.

Ward
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

Is there a way to allow users to visit a website hosted on an EC2 instance through an https:// connection and "in a way they will be happy with" (ie: without browser warnings) and without registering for a domain name (for example, simply using the provided public DNS that comes with the EC2 instance) ?

profile picture
replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago