This how-to will guide you through the process of installing a TLS/SSL certificate to your AWS Elastic Beanstalk environment so that you can encrypt data from your load balancer to your Amazon Elastic Compute Cloud (Amazon EC2) instance.
If the import-certificate command is successful, it returns the Amazon Resource Name (ARN) of the imported certificate.
Now you are ready to continue to the next step of adding listeners to your Load Balancers.
The file:// prefix tells the AWS CLI to load the contents of a file in the current directory. Naturally, you should replace the metadata of the certificate with your own. Specifically, the elastic-beanstalk-x509 should specify the name to call the certificate in IAM.
Now you are ready to continue to the next step of adding listeners to your Load Balancers.
Prepare your Elastic Beanstalk Environment
The process of preparing the Elastic Beanstalk Environment is outside the scope of this guide, hence we will assume that your environment is already configured and focus on the installation process of the certificate instead. If you need more information on the subject, please start with the AWS documentation.Acquire a TLS/SSL Certificate
In order to use a certificate, the first step is to purchase a certificate from a publicly trusted Certificate Authority, like SSL.com. Choosing the right certificate for your specific needs is important, so we kindly advise you to refer to this guide. If you need additional details regarding generating the CSR generation, or how to order your certificate from SSL.com, please visit our knowledgebase. You may also contact our 24-hour support team at support@stg.ssl.com or the online chat. For quotes, custom solutions, or high-volume orders, please contact sales@stg.ssl.com.Import the Certificate to AWS
The certificate needs to be imported to AWS so that it can be configured later. The recommended tool is to use AWS Certificate Manager (ACM) as long as it is available to your region. In the case that it is not, you can upload your certificate to AWS Identity and Access Management (IAM). We will see each case separately, but you only need to follow one of the following procedures.Import a certificate to ACM
Importing a certificate to ACM can be done through the console or through the AWS Command Line Interface (AWS CLI). Below we will guide you through both options.Import through console
- Open the ACM console at https://console.aws.amazon.com/acm/home.
- Click on Import a Certificate
- You will see three fields you need to fill
- Certificate body: insert the PEM-encoded certificate you have received from SSL.com. This should begin with – – – – – BEGIN CERTIFICATE – – – – – and end with – – – – – END CERTIFICATE – – – – –.
- Certificate Private Key: insert the PEM-encoded, unencrypted Private Key you have received from SSL.com. This should begin with – – – – – BEGIN PRIVATE KEY- – – – – and end with – – – – – END PRIVATE KEY – – – – -.
- Certificate Chain: insert the PEM-encoded certificate chain.
- Click on Review and import.
- You will see a Review and import page. You need to check the displayed information about your certificate to validate that everything is in order. The fields are:
- Domains — A list of fully qualified domain names (FQDN) authenticated by the certificate
- Expires in — The number of days until the certificate expires
- Public key info — The cryptographic algorithm used to generate the key pair
- Signature algorithm — The cryptographic algorithm used to create the certificate’s signature
- Can be used with — A list of ACM integrated services that support the type of certificate you are importing
6. If everything is correct, choose Import.
Import through AWS CLI
You can also select to import the certificate by using the AWS CLI. In order to do this, you need to make sure the following:- The PEM-encoded certificate is stored in a file named Certificate.pem.
- The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.
- The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.
$ aws acm import-certificate –certificate fileb://Certificate.pem \ –certificate-chain fileb://CertificateChain.pem \ –private-key fileb://PrivateKey.pem |
Upload a certificate to IAM
You should use IAM to upload a certificate only if ACM is not available in your region. This is done by typing the following command on AWS CLI. Note that you should make sure the following:- The PEM-encoded certificate is stored in a file named Certificate.pem.
- The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.
$ aws iam upload-server-certificate –server-certificate-name elastic-beanstalk-x509 –certificate-chain file://CertificateChain.pem –certificate-body file://Certificate.pem –private-key file://PrivateKey.pem { “ServerCertificateMetadata”: { “ServerCertificateId”: “AS5YBEIONO2Q7CAIHKNGC”, “ServerCertificateName”: “elastic-beanstalk-x509”, “Expiration”: “2017-01-31T23:06:22Z”, “Path”: “/”, “Arn”: “arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509”, “UploadDate”: “2016-02-01T23:10:34.167Z” } } |
Add listeners to your load balancers
After you have installed your certificate, you need to add listeners to your load balancers to enable HTTPS. You should do the following:- Open the Elastic Beanstalk console, and then select your environment.
- In the navigation pane, choose Configuration.
- In the Load balancer category, choose Modify.
- The next step is adding the listener for port 443. The procedure depends upon the type of load balancer in your Elastic Beanstalk environment. You should follow the set of instructions after selecting the appropriate type of load balancer, Classic, Network, or Application. The steps are similar, but with a few crucial differences.
Add listeners for a Classic Load Balancer.
- Choose Add Listener.
- For Port, enter the incoming traffic port (typically 443).
- For Protocol, choose HTTPS.
- For Instance Port, enter 80.
- For Instance Protocol, choose HTTP.
- For SSL certificate, choose your certificate, and then choose the SSL policy that you want to use from the drop-down menu.
- Choose Add, and then choose Apply.
Add listeners for a Network Load Balancer.
- Choose Add Listener.
- For Port, enter the incoming traffic port (typically 443).
- Choose Add, and then choose Apply.
Add listeners for an Application Load Balancer.
- Choose Add Listener.
- For Port, enter the incoming traffic port (typically 443).
- For Protocol, choose HTTPS.
- For SSL certificate, choose your certificate, and then choose the SSL policy that you want to use from the dropdown list.
- Choose Add, and then choose Apply.