how to install ssl cert on ec2
When I began working with AWS and EC2 I learned how to install ssl cert on ec2 . I also learned it is not as simple as using cPanel or WHM. Below I have listed out a few steps that you can follow that should help with the installation of an SSL cert….This tutorial will assume you are working with an EC2 instance running AWS linux.
To begin the process of installing an SSL cert or generating a CSR you must first make sure that mod_ssl is installed….Depending on which version of PHP you are using will depending on which version of mod_ssl you will install. See below for PHP7 and lower…Also remember we are assuming you are working with an AWS Linux EC2 instance.
PHP7
PHP < 7
First you must generate the CSR..To do so follow the commands below. You will be asked a series of questions. Make sure to answer them accordingly. Once you are done answering the questions the CSR creation will be complete.
openssl req -new -key private-key.pem -out csr.pem
Next we need to view, copy, and paste the CSR into the SSL vendors input. To do so simply type the following command to see if the file exists.
Now paste the CSR into the input of the SSL provider. Once the SSL provider issues the cert you will need to download the cert for Apache (assuming you are using Amazon Linux). The next step is to add the cert and bundle cert to your server. To do this use the follow code below. Replace the “xxxxxxxxxxxxxxxxxx.crt” with the cert file name and then paste the cert content in and save. Then do the same with the “bundle.crt” and make sure to change the name.
sudo vi bundle.crt
Once the SSL provider issues the cert you will need to download the cert for Apache (assuming you are using Amazon Linux). The next steps involve us moving the SSL cert to a location on the server that we will be able to find easily. I typically move my certs to the /etc/httpd/conf folder…Use the following commands to do this.. Make sure to replace “xxxxxxxxxxxxxxxxxx.crt” , “bundle.crt”, and “private-key.pem” to use the name of the files on your server.
sudo xxxxxxxxxxxxxxxxxx.crt /etc/httpd/conf/xxxxxxxxxxxxxxxxxx.crt
sudo cp bundle.crt /etc/httpd/conf/bundle.crt
Next we need to edit the ssl.conf file located at “etc/httpd/conf.d/ssl.conf” to open this file use the code below.
At the very top of the file below any of the code use the following snippet and add your domain. Make sure to fill in the “xxxxxxxx” information with your servers…
ServerName xxxxxxxxx.com (you can comment this out if you do not have it)
ServerAlias xxx.xxxxxxxxxx.com (the domain or sub domain for the website….www.xxxxx.com or sub.xxxxx.com or xxxxxxx.com)
Redirect / https://xxx.xxxxxxxxxx.com/ (This is redirecting all traffic from http to https…make sure you add your domain where the xxxxxx are)
</span><span class="s1">#DocumentRoot “/www/var/html”</span><span class="Apple-converted-space">
</span><span class="s1">ServerName xxxxxxxxx.com</span><span class="Apple-converted-space">
</span><span class="s1">ServerAlias xxx.xxxxxxxxxx.com</span><span class="Apple-converted-space">
</span><span class="s1">Redirect / https://xxx.xxxxxxxxxx.com/</span><span class="Apple-converted-space">
</span><span class="s1"># Other directives here</span><span class="Apple-converted-space">
</span></VirtualHost>
Next we need to add the correct cipher…You will see in the snippet below I have commented out two items and added 1..Please do the exact same.
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
Lastly we need to update the key file locations….Make sure you find the following and comment them out first..They add the correct ones back in using the snippet below..
- #SSLCertificateFile
- #SSLCertificateKeyFile
- #SSLCertificateChainFile
SSLCertificateKeyFile /etc/httpd/conf/private-key.pem
SSLCertificateChainFile /etc/httpd/conf/bundle.crt
Finally you can save and quit the ssl.conf configuration. Once this is complete the SSL cert is installed..Last thing you need to do is restart apache by following the snippet below. You should get ok,ok…If you do not get 2 OK’s then something in the configuration is wrong…
Once I confirm I have 2 OK’s I navigate to https://www.sslshopper.com/ssl-checker.html and enter my url to confirm the SSL is setup correctly.
Once you understand how to setup and SSL cert the process seems to flow much quicker. If you need help setting up an SSL cert on your EC2 instance feel free to email or call us.