SSL certificate for site on Amazon ec2 possible?

ssl amazon-ec2 http ssl-certificate
15,199

Solution 1

SSL certificates specify a domain name or names, not an IP address. I have not used an SSL certificate on an EC2 host, but I don't see why it wouldn't be possible.

You will probably want to use Amazon's Elastic IP service so that you can maintain a stable relationship between a given EC2 instance (EBS-backed, I imagine) and the publicly visible hostname; the hostname is what's described in the certificate.

Obviously, installing the private key for an SSL keypair on someone else's hardware has security implications - but I bet that the majority of SSL private keys are sitting on hardware that's not owned by the holder of the certificate, so it's not like that's an unfamiliar or unusual risk.

Low-end certificates aren't very expensive these days - most of the certificate vendors will even issue you a temporary 30-day cert for free so you can experiment with it and see how it will work out in your environment. You can also use a self-signed certificate which will probably generate complaints from browsers.

Solution 2

Further to @gbroiles' answer above, I'm running a site for my company which is hosted on EC2 and has an SSL certificate. EC2 gives you full access to the operating system, so I just installed the certificate in our Apache server in exactly the same way as if it was running on a physical machine.

We use an elastic IP address as described above; Amazon doesn't charge for elastic IP's if they are in use, but there is a small charge for unused elastic IP addresses. See the AWS pricing page for more details.

Share:
15,199

Related videos on Youtube

TWord
Author by

TWord

Updated on September 17, 2022

Comments

  • TWord
    TWord over 1 year

    we're thinking of getting an application hosted on the ec2 service, and the application's documentation says that an SSL certificate can be installed for secure communication (https).

    Its not clear to me whether a site hosted there can have one installed.

  • TWord
    TWord almost 14 years
    But why it is that some webhosting services force you to buy an IP address if you want to have an SSL certificate installed on your domain?
  • gbroiles
    gbroiles almost 14 years
    Non-SSL virtual hosts work by including a "Host:" header in the HTTP request that tells the server what (virtual) host the request is intended for. This means that many domains can be handled on a single IP address; the server figures out how to respond by looking at the Host: header. The traditional setup for SSL connections meant that it was necessary to negotiate the cryptographic aspects of the communication before the HTTP request could be presented to the host. This meant that the only way to differentiate between requests for the same server was to use one IP address per virtual host.
  • TWord
    TWord almost 14 years
    So are you saying that one IP address IS required for an SSL certificate? The way I understand the Amazon system is that its all just one big virtual hosting provider - I know that a dedicated IP is NOT possible at Amazon, so by the above the SSL cert shouldn't work as well...?
  • gbroiles
    gbroiles almost 14 years
    A dedicated IP is possible with EC2, that's what Elastic IP does. The IP address you get with an EC2 server (non-Elastic IP) is not shared with others at the time that you're using it, but will be reused after your EC2 instance is deleted.
  • TWord
    TWord almost 14 years
    So a fixed/static/dedicated IP address is NOT required...
  • gbroiles
    gbroiles almost 14 years
    A dedicated IP address is required unless you're using SNI, which is relatively new and not supported by all browsers. See en.wikipedia.org/wiki/Server_Name_Indication and ietf.org/rfc/rfc4366.txt . The IP address doesn't need to be fixed or static, but it would be easier to set up a durable EC2 instance if you used an Elastic IP (giving you effectively a static IP) because you won't have to update your DNS records every time the EC2 instance changes.
  • TWord
    TWord almost 14 years
    Thanks for your input gareth - having someone doing exactly that is very reassuring!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
How to configure my Elastic Load Balancer to balance SSL traffic?
How to setup SSL on Amazon EC2?
Can not get rid of `net::ERR_CERT_COMMON_NAME_INVALID` error in chrome with self-signed certificates
Download SSL certificate from aws certificate manager
Auto redirect http site url to https in cpanel
Setup an SSL certificate on an EC2 instance
What exactly does "every SSL certificate requires a dedicated IP" mean?
"Public key certificate and private key doesn't match" when using Godaddy issued certificate
Firebase Hosted flutter app shows not a secure connection error when launching an external URL