How do I install an SSL/TLS certificate for my website on my Amazon EC2 Linux Ubuntu instance?

Resolution

Prerequisite: Make sure that the instance's security groups allow traffic on ports 80 and 443.

Install Apache and OpenSSL web server

To install Apache and OpenSSL on your server, run the following command:

sudo apt-get install apache2 openssl -y

Generate a self-signed certificate

Complete the following steps:

1. SSL/TLS uses both public and private keys. To create a private key for your domain and a certificate signing request (CSR), run the following command:

    sudo openssl req -nodes -newkey rsa:2048 -keyout /etc/ssl/private/private.key -out /etc/ssl/private/request.csr

2. To generate an SSL/TLS certificate, run the following command:

    sudo openssl x509 -in /etc/ssl/private/request.csr -out /etc/ssl/private/certificate.crt -req -signkey /etc/ssl/private/private.key -days 365

You can now use the key (private.key) and certificate (certificate.crt) files with the Apache web server.

Configure Apache to use SSL/TLS

To configure Apache to use the self-signed certificate that you created, complete the following steps:

1. Run the following command to open the default Apache SSL configuration file:

   sudo vi /etc/apache2/sites-available/default-ssl.conf

2. Use the following paths to define the location of your SSL certificate:
   For SSLCertificateFile, use /etc/ssl/private/certificate.crt.
   For SSLCertificateKeyFile, use /etc/ssl/private/private.key.

3. Save and close the file. Then, run the following command to activate the virtual host file:

   sudo a2ensite default-ssl.conf

4. To open the default virtual host configuration file for Apache, run the following command:

   sudo vi /etc/apache2/sites-available/000-default.conf

5. To add a redirect to your domain name, add the following line to the etc/apache2/sites-available/000-default.conf file:

   Redirect "/" https://Server-IP

   Note: Replace Server-IP with your server IP address. It's a best practice to enter the preceding line after the DocumentRoot line. The redirect forwards all traffic to the site's SSL/TLS version.

6. To activate the SSL/TLS and header modules, run the following command:

   sudo a2enmod ssl
   sudo a2enmod headers

7. Run the following command to reload the Apache service and apply the modifications:

   sudo systemctl reload apache2

Verify your SSL/TLS server

Complete the following steps:

1. Launch your web browser.
2. Open https://Server-IP.
   Note: Replace Server-IP with your server IP address. The web browser redirects you to a warning page. You can expect this behavior because a trusted certificate authority didn't sign your certificate.
3. Choose Proceed to Host to open the Apache home page. A lock that says not secure appears in the browser address bar. This shows that the certificate isn't validated, but does encrypt your connection.

For information about how to configure SSL/TLS on Red Hat Enterprise Linux (RHEL) or Community Enterprise Linux, see Setting up a webserver to use HTTPS on the Red Hat website. Or, if you use Amazon Linux, then see SSL/TLS configuration for Amazon Linux 1 (AL1), Amazon Linux 2 (AL2), or Amazon Linux 2023 (AL2023).