You can find instructions for installing an SSL certificate on an AWS EC2 instance.
Before You Start
Please make sure you have downloaded your certificate files. Still haven't downloaded your certificate? To get instructions on how to download your certificate (.zip), you can click here.
After downloading your certificate, you should have a ZIP containing the following certificate files:
- certificate.crt
- ca_bundle.crt
- private.key
-
Choose one of the two installation methods below
-
Upload Certificate via Management Console
Now that you have downloaded your certificate files, please follow the steps below to install in on your EC2 instance. In summary, you will need to upload your certificate files to IAM and allocate the certificate to your EC2 load balancer instance.
- Log in to your AWS management console and navigate to the EC2 console.
- Navigate to the EC2 Console.
- Choose Load Balancer under the "Network and Security" section.
- Select the load balancer you would like to allocate your certificate to.
- Go to the Listener tab, click on "Edit" and then "Add". Choose "HTTPS" as the protocol. Next, under SSL certificate select "Change" and click on “Upload a new certificate to AWS Identity and Access Management (IAM).”
- Now enter your certificate details: this includes a name for your certificate, your private key (private.key), the primary certificate file (certificate.crt), and the certificate chain (ca_chain.crt) by pasting file contents into the designated areas.
- Finally, click on "Save".
-
Upload Certificate via CLI
Alternatively, you can also use the AWS command-line interface (CLI) in order to upload your certificate files to IAM. To use the AWS command-line interface for uploading your certificate to an EC2 instance, please follow the steps below.
Please note order for your upload to work, you may be required to rename your .crt files to .pem.
You can use the following command in order to upload your certificate files to IAM:
aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://certificate.crt --private-key file://private.key --certificate-chain file://ca_bundle.crt
The
certificate_object_name
parameter above can be used to provide a name for your certificate object. Please also note that when you specify a file as a parameter (e.g. for certificate-body), file:// must be included.IAM Upload Criteria
When uploading certificate files, IAM will verify if the following criteria are met:
- Certificate files (certificate.csr and ca_bundle.crt) must be in X.509 PEM format.
- The current date must be between the certificate issuance and the expiration date.
- The certificate and private key files should contain only a single item, not multiple items.
- The private key must match the certificate.
- The private key must start with
-----BEGIN RSA PRIVATE KEY-----
and end with-----END RSA PRIVATE KEY-----
. - The private key must be encrypted with a password.
-
-
Check Installation
You have completed all the required steps to install your SSL certificate. To check whether or not your certificate has been installed correctly, simply use the built-in ZeroSSL "Check Installation" tool or try accessing your domain using HTTPS, e.g. https://domain.com.
Congratulations
Your site has now been secured using your new SSL certificate!
Do you have Feedback to the installation of your SSL certificate?