Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I install an SSL/TLS certificate on my EC2 Windows instance that runs on an IIS server?

5 minute read
0

I want my web application or website that runs on an Amazon Elastic Compute Cloud (Amazon EC2) instance to use HTTPS. To allow this, I want to install my own SSL/TLS certificate on the Amazon EC2 Windows instance that runs on an Internet Information Services (IIS) server.

Short description

Note: If you're using Elastic Load Balancing (ELB), then you can use an Amazon provided certificate from AWS Certificate Manager (ACM). For more information, see How do I associate an ACM SSL/TLS certificate with an Application, Network, or Classic Load Balancer?

There are three steps to install an SSL/TLS certificate on your EC2 Windows instance:

  1. Create a Certificate Signing Request (CSR) and request an SSL/TLS certificate.
  2. Install your SSL/TLS certificate.
  3. Assign the SSL/TLS certificate to your IIS deployment.

You can also modify an existing SSL/TLS certificate that's assigned to a site.

Resolution

Create a CSR and request an SSL/TLS certificate

Complete the following steps:

  1. Open the IIS Manager. To open the IIS Manager, first choose Start, choose Control Panel, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

  2. In Connections, choose the name of the server where you want to install the certificate.

  3. In the IIS section of the home page, choose Server Certificates.

  4. In the Server Certificates console, under Actions, choose Create Certificate Request.

  5. Enter the following values in the Request Certificate wizard:
    For Common name, enter the fully qualified domain name (FQDN) of the domain (for example, www.example.com).
    For Organization, enter your company's name.
    (Optional) For Organizational unit, enter the name of the department within your organization.
    For City/locality, enter the city where the company is legally located.
    For State/province, enter the state or province where the company is legally located.
    For Country, enter the country where the company is legally located.

  6. Choose Next.

  7. For Cryptographic Service Provider Properties, enter the following values:
    For Cryptographic service provider, select Microsoft RSA Channel Cryptographic Provider. You can also select other options.
    For Bit length, select 2048. It's a best practice to use 2048, unless a higher value is required.

  8. Choose Next.

  9. For File Name, navigate to the location where you want to save the CSR.
    Note: If you don't specify a location, then the file saves to C:\windows\system32 or ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools.

  10. Choose Finish.

  11. Use a text editor to copy the text from the created file. The following is an example of the text:

    -----BEGIN NEW CERTIFICATE REQUEST-----<examplekey>
-----END NEW CERTIFICATE REQUEST-----

  12. Send the preceding value, including the first and last lines, to your chosen certificate provider so that they can issue the certificate.

When the certificate is available, install your SSL/TLS certificate.

Install your SSL/TLS certificate

Complete the following steps:

  1. Save the certificate file issued by your chosen provider to the server where you created the CSR.
  2. Open the IIS Manager.
  3. In Connections, choose the name of the server where you want to install the certificate.
  4. In the IIS section, choose Server Certificates.
  5. In Actions, choose Complete Certificate Request.
  6. In the Specify Certificate Authority Response wizard, enter the following information:
    For File name containing the certificate authority's response, select the certificate (.cer) file.
    For Friendly name, enter a name for you to identify the certificate. It's a best practice to add the expiration date and use case for easier identification.
    For Select a certificate store for the new certificate, select Web Hosting.

After your SSL/TLS certificate is installed on the server and ready for use, assign it to your site.

Assign the SSL/TLS certificate to your IIS deployment

Complete the following steps:

  1. Open the IIS Manager.
  2. In Connections, choose the name of the server where you want to install the certificate.
  3. Select Sites to expand the section, and then choose the site where you want to assign the certificate.
  4. In Actions, choose Bindings.
  5. In the Site Bindings wizard, choose Add.
  6. For Add Site Binding, enter the following information:
    For Type, select HTTPS.
    For IP Address, select the IP address of the site. Or, select All Unassigned.
    For Port, enter 443. Port 443 is the port that's used by HTTPS for SSL/TLS secured traffic.
    For SSL Certificate, select the SSL certificate for this site (for example, www.example.com).
  7. Choose Ok.

The SSL/TLS certificate is assigned to this specific site for use with HTTPS.

Modify an existing SSL/TLS certificate that's assigned to a site

To modify a certificate that's assigned to a site, complete the following steps:

  1. Follow the steps in the Create a CSR and request an SSL/TLS certificate section of this article.
  2. Follow the steps in the Install your SSL/TLS certificate section of this article.
  3. Follow steps 1-4 in the Assign the SSL/TLS certificate to your IIS deployment section of this article.
  4. In the Site Bindings wizard, find the HTTPS binding. Select the binding, and then choose Edit.
  5. Select the new certificate from the SSL certificate dropdown list, and then choose Ok.
Topics
Compute
Tags
Amazon EC2Windows
Language
English

Related videos

Watch Mike's video to learn more (4:39)
Watch Mike's video to learn more (4:39)
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content