Install SSL certificate on AWS Elastic Beanstalk / Load Balancer

This how-to will guide you through the process of installing a TLS/SSL certificate to your AWS Elastic Beanstalk environment so that you can encrypt data from your load balancer to your Amazon Elastic Compute Cloud (Amazon EC2) instance.

Prepare your Elastic Beanstalk Environment

The process of preparing the Elastic Beanstalk Environment is outside the scope of this guide, hence we will assume that your environment is already configured and focus on the installation process of the certificate instead. If you need more information on the subject, please start with the AWS documentation.

Acquire a TLS/SSL Certificate

In order to use a certificate, the first step is to purchase a certificate from a publicly trusted Certificate Authority, like SSL.com. Choosing the right certificate for your specific needs is important, so we kindly advise you to refer to this guide.  If you need additional details regarding generating the CSR generation, or how to order your certificate from SSL.com, please visit our knowledgebase. You may also contact our 24-hour support team at support@stg.ssl.com or the online chat. For quotes, custom solutions, or high-volume orders, please contact sales@stg.ssl.com.

Import the Certificate to AWS

The certificate needs to be imported to AWS so that it can be configured later. The recommended tool is to use AWS Certificate Manager (ACM) as long as it is available to your region. In the case that it is not, you can upload your certificate to AWS Identity and Access Management (IAM). We will see each case separately, but you only need to follow one of the following procedures.

Import a certificate to ACM

Importing a certificate to ACM can be done through the console or through the AWS Command Line Interface (AWS CLI). Below we will guide you through both options.

Import through console

1. Open the ACM console at https://console.aws.amazon.com/acm/home.
2. Click on Import a Certificate
3. You will see three fields you need to fill
   1. Certificate body: insert the PEM-encoded certificate you have received from SSL.com. This should begin with – – – – – BEGIN CERTIFICATE – – – – – and end with – – – – – END CERTIFICATE – – – – –.
   2. Certificate Private Key: insert the PEM-encoded, unencrypted Private Key you have received from SSL.com. This should begin with – – – – – BEGIN PRIVATE KEY- – – – – and end with – – – – – END PRIVATE KEY – – – – -.
   3. Certificate Chain: insert the PEM-encoded certificate chain.
4. Click on Review and import.
5. You will see a Review and import page. You need to check the displayed information about your certificate to validate that everything is in order. The fields are:

• Domains — A list of fully qualified domain names (FQDN) authenticated by the certificate
  
  
• Expires in — The number of days until the certificate expires
  
  
• Public key info — The cryptographic algorithm used to generate the key pair
  
  
• Signature algorithm — The cryptographic algorithm used to create the certificate’s signature
  
  
• Can be used with — A list of ACM integrated services that support the type of certificate you are importing
  
  6. If everything is correct, choose Import.

Now you are ready to continue to the next step of adding listeners to your Load Balancers.

Import through AWS CLI

You can also select to import the certificate by using the AWS CLI. In order to do this, you need to make sure the following:

• The PEM-encoded certificate is stored in a file named Certificate.pem.
  
  
• The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.
  
  
• The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.
  
  

Then you can type the following command in one continuous line replacing the file names with your own. The following example includes line breaks and extra spaces to make it easier to read. Note that this is an example using the above generic names given. When actually using the command, you should replace fileb://Certificate.pem and the other similar expressions with the actual file name and path in your computer.

$ aws acm import-certificate –certificate fileb://Certificate.pem \       –certificate-chain fileb://CertificateChain.pem \       –private-key fileb://PrivateKey.pem

If the import-certificate command is successful, it returns the Amazon Resource Name (ARN) of the imported certificate.  Now you are ready to continue to the next step of adding listeners to your Load Balancers.

Upload a certificate to IAM

You should use IAM to upload a certificate only if ACM is not available in your region. This is done by typing the following command on AWS CLI. Note that you should make sure the following:

• The PEM-encoded certificate is stored in a file named Certificate.pem.
  
  
• The PEM-encoded certificate chain is stored in a file named CertificateChain.pem.
  
  

The PEM-encoded, unencrypted private key is stored in a file named PrivateKey.pem.

$ aws iam upload-server-certificate –server-certificate-name elastic-beanstalk-x509 –certificate-chain file://CertificateChain.pem –certificate-body file://Certificate.pem –private-key file://PrivateKey.pem {     “ServerCertificateMetadata”: {         “ServerCertificateId”: “AS5YBEIONO2Q7CAIHKNGC”,         “ServerCertificateName”: “elastic-beanstalk-x509”,         “Expiration”: “2017-01-31T23:06:22Z”,         “Path”: “/”,         “Arn”: “arn:aws:iam::123456789012:server-certificate/elastic-beanstalk-x509”,         “UploadDate”: “2016-02-01T23:10:34.167Z”     } }

The file:// prefix tells the AWS CLI to load the contents of a file in the current directory. Naturally, you should replace the metadata of the certificate with your own. Specifically, the elastic-beanstalk-x509 should specify the name to call the certificate in IAM.  Now you are ready to continue to the next step of adding listeners to your Load Balancers.

Add listeners to your load balancers

After you have installed your certificate, you need to add listeners to your load balancers to enable HTTPS. You should do the following:

1.   Open the Elastic Beanstalk console, and then select your environment.
2.   In the navigation pane, choose Configuration.
3.   In the Load balancer category, choose Modify.
4.   The next step is adding the listener for port 443. The procedure depends upon the type of load balancer in your Elastic Beanstalk environment. You should follow the set of instructions after selecting the appropriate type of load balancer, Classic, Network, or Application.  The steps are similar, but with a few crucial differences.

Add listeners for a Classic Load Balancer.

1.   Choose Add Listener.
2.   For Port, enter the incoming traffic port (typically 443).
3.   For Protocol, choose HTTPS.
4.   For Instance Port, enter 80.
5.   For Instance Protocol, choose HTTP.
6.   For SSL certificate, choose your certificate, and then choose the SSL policy that you want to use from the drop-down menu.
7. Choose Add, and then choose Apply.

Add listeners for a Network Load Balancer.

1.   Choose Add Listener.
2.   For Port, enter the incoming traffic port (typically 443).
3. Choose Add, and then choose Apply.

Add listeners for an Application Load Balancer.

1.   Choose Add Listener.
2.   For Port, enter the incoming traffic port (typically 443).
3.   For Protocol, choose HTTPS.
4.   For SSL certificate, choose your certificate, and then choose the SSL policy that you want to use from the dropdown list.
5.   Choose Add, and then choose Apply.

For all the above procedures, you should keep in mind that the changes will only take effect after you have clicked on the Apply button.

Review the changes

After installing your TLS/SSL Certificate to your Elastic Beanstalk Load Balancer, you can review the changes to make sure everything is in order. The process should take a few minutes to complete. Congratulations! You have installed your TLS/SSL Certificate in your AWS Elastic Beanstalk environment making sure your users are connected to your website securely.