How to add SSL certificate to AWS EC2 with the help of new AWS Certificate Manager service

amazon-web-services ssl amazon-ec2
80,621

Solution 1

Q: Can I use certificates on Amazon EC2 instances or on my own servers?

No. At this time, certificates provided by ACM can only be used with specific AWS services.

Q: With which AWS services can I use certificates provided by ACM?

You can use ACM with the following AWS services:

• Elastic Load Balancing

• Amazon CloudFront

• AWS Elastic Beanstalk

• Amazon API Gateway

https://aws.amazon.com/certificate-manager/faqs/

You can't install the certificates created by Amazon Certificate Manager (ACM) on resources you have direct low-level access to, like EC2 or servers outside of AWS, because you aren't provided with access to the private keys. These certs can only be deployed on resources managed by the AWS infrastructure -- ELB and CloudFront -- because the AWS infrastructure holds the only copies of the private keys for the certificates that it generates, and maintains them under tight security with auditable internal access controls.

You'd have to have your EC2 machines listening behind CloudFront or ELB (or both, cascaded, would also work) in order to use these certs for content coming from EC2... because you can't install these certs directly on EC2 machines.

Solution 2

If you are using AWS ACM Cert for internal purpose only then you could probably use AWS ACM Private CA to issue the certs.(I think you can use it for public/external traffic purpose as well if your root CA is publicly trusted CA).

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetStarted.html

During Application/EC2/Container startup, set a step to export your ACM Private CA issued Cert/Private Key to your destination and start referring that for serving the traffic.

https://docs.aws.amazon.com/cli/latest/reference/acm/export-certificate.html

One good thing is, you can control who can call export cert feature using IAM Role so not everyone can download private key of the cert.

One downside with this is, private CA is expensive AWS service($400/month). https://aws.amazon.com/certificate-manager/pricing/

Solution 3

No, you cannot use aws certificate manager for deploying certs on EC2. The certificate manager certs can only be deployed against cloudfront and elastic load balancer. Inoredr to use it on ec2, you need to put elb on top of ec2, so that request from client to load balancer will be https protected and from elb to ec2 webserver will be on http.

Solution 4

Adding to the comments above, you can't use the AWS Certificate Manager for this, but you can add a Let's Encrypt certificate to ec2 on a Windows server running IIS and it's pretty easy:

  1. Associate an elastic ip with your ec2 instance.

  2. Make sure you have a registered domain. You can't use ec2----------.us-east-1.compute.amazonaws.com type names that come with your instance.

  3. Through your domain provider's DNS settings have your domain point to your Elastic IP.

  4. Connect to your ec2 instance and add your domain name to the site bindings.

  5. Go to https://github.com/PKISharp/win-acme/releases

  6. Look under assets, and use the latest version (win-acme.v2.0.10.444.zip for example). This is the only assets folder that you need.

  7. Unzip the folder, open the terminal as administrator, and cd into the unzipped folder.

  8. Run wacs.exe and follow the prompts.

  9. Make sure the security group assigned to your instance allows traffic (at the very least your own IP) through the HTTPS port you chose in IIS; this is port 443 by default.

I found the links below helpful when I was figuring this out. Here is a video using an earlier release if you need more help, but it's the same idea.

https://www.youtube.com/watch?v=fq5OUOjumuM

Also this article might be helpful:

https://weblog.west-wind.com/posts/2016/feb/22/using-lets-encrypt-with-iis-on-windows

Share:
80,621
Bhavik Joshi
Author by

Bhavik Joshi

I am an AWS certified Solution Engineer working with IBM India PVT LTD since Jan 2019. I have master’s degree in Computer Applications and 5 years of total experience. I am a cloud enthusiast. I have worked as DevOps Engineer for TIBCO Softwares handled all the Non-Production Environments. Earlier I was working at Zensar Technologies on client location as a Cloud Solutions Engineer and handling Netgear’s various projects. In CloudThat, I was a part of CloudThat Consulting team and have been involved with large and complex clients. I have also worked as a Web Developer, developing the cloud-based application for Object Lounge Pvt Ltd.

Updated on July 08, 2022

Comments

  • Bhavik Joshi
    Bhavik Joshi almost 2 years

    AWS has come up with a new service AWS Certificate Manager. One thing I got from the description is that if we are using this service we don't have to pay for the certificate anymore.

    They are providing certificates for Elastic Load Balancer (ELB) and CloudFront, but I didn't find EC2 anywhere.

    Is there any way to use the certificate with EC2?

  • kraftydevil
    kraftydevil almost 7 years
    The good news is that there is no charge if you issued a certificate and just found out on here that you can't install it.
  • Michael - sqlbot
    Michael - sqlbot almost 7 years
    lol @kraftydevil I guess you have a point, there. Note that letsencrypt.org is a legitimate, recognized, non-profit source for free SSL certs that you can install anywhere you like. (And, I might add, I have no affiliation with Let's Encrypt.)
  • Michael - sqlbot
    Michael - sqlbot almost 7 years
    @EngineerDollery no, that is only true for one specific case. You absolutely can use Let's Encrypt on EC2. What you cannot do is get a Let's Encrypt certificate for an EC2 *.amazonaws.com hostname because, sensibly enough, Let's Encrypt policy doesn't allow it... but for a domain you control that points to an EC2 instance IP, or ELB, or CloudFront, you most definitely can use Let's Encrypt, the same as anywhere else.
  • Efren
    Efren almost 6 years
    Link to an example with an automated lets encrypt certificate deployed on EC2: docs.aws.amazon.com/AWSEC2/latest/UserGuide/…
  • MuaathAli
    MuaathAli over 5 years
    I followed with the ELB setup everything now I'm getting 502 Bad Gateway when I pointed A record to the ELB
  • Michael - sqlbot
    Michael - sqlbot over 5 years
    @MuaathAli check the logs on your instance(s) to see if the request was seen, and inspect the headers from the 502 error to see if it came from the ELB or the instance. This should be unrelated to SSL.
  • Free Willaert
    Free Willaert over 5 years
    You cannot use export-certificate with ACM PCA - but you don't need it either: you'll already have the private key, and get-certificate gives uit the certificate and chain.
  • Imran
    Imran over 5 years
    @FreeWillaert I am pretty sure, you will not get Private Key part with get-certificate. check this CLI documentation. and this. Check both outputs of cli responses. I have already tested these CLI commands.
  • Imran
    Imran over 5 years
    @FreeWillaert yep :). Above CLI command can be used in Docker startup script or EC2 user data script to download private key cert in runtime and start utilizing them for serving TLS traffic. Specially in ASG. The good part is you can control who can call above CLI command using IAM roles so not everyone has access to private keys.
  • Piekarski D
    Piekarski D over 4 years
    @Imran you should write bold One downside with this is, private CA is expensive AWS service($400/month). on the top as for example I'd miss it if I didn't read this answer 2nd time
  • Imran
    Imran over 4 years
    @PiekarskiD done. Thanks for the suggestion!!. if you like my answer, you can upvote always!!.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS Load Balancer: 503 (Service Unavailable: Back-end server is at capacity)
AWS: how to install AWS-issued SSL certificate on my Windows Server EC2?
Install SSL on Amazon Elastic Load Balancer with GoDaddy Wildcard Certificate
Setting Up ELB with SSL - What is Backend Authentication?
Download SSL certificate from aws certificate manager
Setup an SSL certificate on an EC2 instance
How to Install SSL on AWS EC2 WordPress Site
Can't get https working on Elastic Load Balancer (AWS)
AWS SSL on EC2 instance without Load Balancer - NodeJS
How do I keep my Amazon Linux EC2 instance /var/log/messages from being filled with dhclient and ec2net messages?