The instructions below will outline how to install an SSL certificate on an AWS EC2 instance.
Before You Start
Before you start, please make sure you have downloaded your certificate files. Still haven't downloaded your certificate? To get instructions for how to download your certificate (.zip), you can click here.
After downloading your certificate, you should have a ZIP containing the following certificate files:
Upload Certificate via Management Console:
Now that you have downloaded your certificate files, please follow the steps below to install in on your EC2 instance. In summary, you will need to upload your certificate files to IAM and allocate the certificate to your EC2 load balancer instance.
- Log in to your AWS management console and navigate to the EC2 console.
- Navigate to the EC2 Console.
- Choose Load Balancer under the "Network and Security" section.
- Select the load balancer you would like to allocate your certificate to.
- Go to the Listener tab, click on "Edit" and then "Add". Choose "HTTPS" as the protocol. Next, under SSL certificate select "Change" and click on “Upload a new certificate to AWS Identity and Access Management (IAM).”
- Now enter your certificate details: this includes a name for your certificate, your private key (private.key), the primary certificate file (certificate.crt), and the certificate chain (ca_chain.crt) by pasting file contents into the designated areas.
- Finally, click on "Save".
Upload Certificate via CLI:
Alternatively, you can also use the AWS command-line interface (CLI) in order to upload your certificate files to IAM. To use the AWS command-line interface for uploading your certificate to an EC2 instance, please follow the steps below.
You can use the following command in order to upload your certificate files to IAM:
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://certificate.crt --private-key file://private.key --certificate-chain file://ca_bundle.crt
certificate_object_name parameter above can be used to provide a name for your certificate object. Please also note that when you specify a file as a parameter (e.g. for certificate-body), file:// must be included.
IAM Upload Criteria
When uploading certificate files, IAM will verify if the following criteria are met:
- Certificate files (certificate.csr and ca_bundle.crt) must be in X.509 PEM format.
- The current date must be between the certificate issuance and expiration date.
- The certificate and private key files should contain only a single item, not multiple items.
- The private key must match the certificate.
- The private key must start with
-----BEGIN RSA PRIVATE KEY-----and end with
-----END RSA PRIVATE KEY-----.
- The private key must be encrypted with a password.
Congratulations, your site has now been secured using your new SSL certificate!