How to Install SSL Certificate on AWS EC2 Instance

Not sure how to add an SSL certificate to an EC2 instance? We’ve got you covered

Amazon Web Services (AWS), like so many other Amazon product offerings, has catapulted into one of the industry’s leading hosting providers. And while we’re still a few years away from being conscripted into CEO Jeff Bezos’ army of factory pickers — when Amazon eventually supersedes our world’s monolithic governments and claims its place as our foremost religion and ruling body — it wouldn’t hurt to get familiar with the products, services, and capabilities of the world’s largest company on a technical level. This includes understanding how to install an SSL certificate on an AWS EC2 instance.

AWS SSL Certificates vs Third-Party SSL Certificates

Now, Amazon is actually its own certificate authority (CA) and can issue its own customers proprietary Amazon SSL certificates that will be trusted by all major browsers and devices. But choosing Amazon’s SSL locks you into a specific type of certificate — one that lacks business authentication and only asserts server identity.

So, short of offering Bezos your first born in return for an Amazon EV certificate, it’s sometimes necessary to acquire a third-party SSL certificate. Of course, Amazon will not abide this blasphemy, and condemns it by not providing any instructions on how to install said third-party SSL certificate.

Well fear not. We have the directions on how to add an SSL certificate to an EC2 instance — and it won’t even cost you your progeny. (Well, at least not your first born, we do accept children lower down the line of succession in return for store credit, though.)

Add SSL Certificate to AWS EC2 Instance in 4 Steps

What you’ll need before we get started on how to install SSL certificate on AWS EC2 instance…

• An SSL certificate;
• Any intermediate certificates required to complete the certificate chain;
• Your private key;
• 10 minutes;
• A proper AWS CLI configuration; and
• Your pants on (optional).

Got ‘em all? Good. Let’s install this thing…

1. Convert your certificate to PEM format (in the example below, we did this using a .p12 bundle. This is because, by default, requests for CSR in IIS will give you a .p12 file). To do this you can either use our conversion tool, or use the following OpenSSL command:

openssl pkcs12 -in /file-path/source-file.p12 -out /file-path/destination-file.pem

2. We had our intermediates file in a .cer file. Convert your intermediates to PEM format, too. Again, either use our tool or use this OpenSSL command:

openssl x509 -inform der -in /file-path/source-file.cer -out /file-path/destination-file.pem

Because you need multiple PEM files to perform the next step, you’ll first need to break out the PEM files from the bundle. This can be done manually or using an application such as OpenSSL.

1. Upload the certificates to your AWS account. Use this OpenSSL command:

aws iam upload-server-certificate –server-certificate-name my-server-
cert –certificate-body file://my-server-certificate.pem –private-key
file://my-private-key.pem –certificate-chain file://my-certificate-chain.pem

If you want to see all certificates that are bound to the IAM profile, you can run the following command:

aws iam list-server-certificates

4. Configure your SSL listener. Despite Bezos’ anger over your SSL apostasy, he is a generous god and has deigned fit to share instructions on how to configure an HTTPS listener for your Load Balancer.

Simply follow those instructions to set up the SSL listener and you’ll have completed all the necessary steps to install your SSL certificate on AWS. Just don’t tell Bezos. He’s got a lot more time on his hands lately — and only half of his assets — so it’s best just to stay off his radar.