How do I install an SSL certificate for my website on my EC2 Linux Ubuntu instance?

Short description

To install a self-signed certificate on an Ubuntu instance hosting an Apache server, complete the following steps:

1. Open ports 80 and 443.
2. Install Apache and OpenSSL Web Server.
3. Generate a self-signed certificate.
4. Configure Apache to use SSL
5. Verify your SSL server.

For information on configuring SSL/TLS on Red Hat or Community Enterprise Linux, such as AlmaLinux and Rocky Linux, see Setting up a webserver to use HTTPS on the redhat.com website.

For information on configuring SSL/TLS on Amazon Linux, see Configure SSL/TLS.

Resolution

Step 1: Open ports 80 and 443

Make sure that the instance's security groups allow traffic on ports 80 and 443.

Step 2: Install Apache and OpenSSL web server

Run the following command to install Apache and OpenSSL on your server:

$ sudo apt-get install apache2 openssl -y

Step 3: Generate a self-signed certificate

1.    Public and private keys are used by SSL. Run the following command to create a private key for your domain and a certificate signing request (CSR):

$ sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr

2.    Run the following command to generate an SSL certificate:

$ sudo openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365

The key (private.key) and certificate (certificate.crt) files are now ready for use with the Apache web server.

Step 4: Configure Apache to use SSL

Configure Apache to use the certificate that you created in Step 3: Generate a self-signed certificate.

1.    Run the following command to open the default Apache SSL configuration file:

$ sudo vi /etc/apache2/sites-available/default-ssl.conf

2.    Use the following paths to define the location of your SSL certificate:

• SSLCertificateFile /etc/ssl/private/certificate.crt
• SSLCertificateKeyFile /etc/ssl/private/private.key

3.    Save and close the file, and then run the following command to activate the virtual host file:

$ sudo a2ensite default-ssl.conf

4.    Run the following command to open the default virtual host configuration file for Apache:

$ sudo vi /etc/apache2/sites-available/000-default.conf

5.    Run the following command to add a redirect to your domain name. The redirect forwards all traffic to the site's SSL version:

Redirect "/" https://Server-IP

6.    Run the following commands to turn on the SSL and header modules:

$ sudo a2enmod ssl
$ sudo a2enmod headers

7.    Run the following command to reload the Apache service and apply the modifications:

$ sudo systemctl reload apache2

Step 5: Verify your SSL server

1.    Launch your web browser and navigate to https://Server-IP. You redirect to a warning page. This is expected because your certificate isn't signed by a trusted certificate authority.

2.    Select Proceed to Host. The Apache home page opens. A lock with the words "not secure" appears in the browser address bar. This indicates that the certificate isn't validated, but is encrypting your connection.