In my previous posts I showed you how to setup HTTPS on Amazon’s EC2/Elastic Beanstalk. In those posts I used a self-signed certificate. This is a fine approach for the early stages of development or prototypes, but if you’re launching a real site you have to buy a real certificate from one of the certifying agencies otherwise your users may be scared off by warnings about accessing an untrusted site. Getting a SSL certificate is a fairly easy process but not always cheap, you can do a search on the web for “cheap ssl” to try to find the best deal for your needs. I chose GoDaddy because I had a coupon from them. It pays to shop around as prices vary dramatically.
The first step is to generate a private key and the Certificate Signing Request needed for the certifying agency. You can do this with openssl. If you’re on a Mac like I am, openssl is already installed. If you’re on another platform, here are some instructions on how to install it. Ready? Let’s get started:
- Open a terminal window and create a directory for your certificate files. Create this in a safe location and name it appropriately so you don’t accidentally delete it later.
$ mkdir my-ssl-certifications $ cd my-ssl-certifications
- Create the private key according to GoDaddy’s requirements (other providers may have different requirement so be sure to check first). Enter the following command. You’ll be asked for a pass phrase. Be sure you remember it, you’ll need it later.
$ openssl genrsa -des3 -out host.key 2048 Generating RSA private key, 2048 bit long modulus ..................................................+++ ...............................+++ e is 65537 (0x10001) Enter pass phrase for host.key: Verifying - Enter pass phrase for host.key:
- Now lets use the private key to create the certificate signing request (CSR).
$ openssl req -new -key host.key -out host.csr
- You’ll be asked for your pass phrase again followed by several questions. It is vital that you answer these correctly and accurately otherwise your certificate will not be valid. In particular, be sure that the Organizational Unit Name, and the Common Name match the URL for your website. You can leave the last two ‘extra’ questions unanswered.
Enter pass phrase for host.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Missouri Locality Name (eg, city) :Saint Louis Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company Organizational Unit Name (eg, section) :www.mycompany.com Common Name (e.g. server FQDN or YOUR name) :www.mycompany.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
- Now that you have the host.csr file, you have to submit it to the certifying agency. For GoDaddy I had to first purchase a standard single-domain SSL certificate on their website. Upon checkout a ‘SSL Get Started’ link appeared. I clicked on that and finally got to a form that asked for the CSR.
- Open the hosts.csr file using a text editor and then copy and paste the entire contents (including the delimiters) into the GoDaddy CSR request form.
-----BEGIN CERTIFICATE REQUEST----- [encoded text here] -----END CERTIFICATE REQUEST-----
- Submit the form. The agency will then verify the information. The process and the length of time this may take will differ depending on the certifying agency. GoDaddy was able to verify my domain instantly because I purchased my domain through them so they knew the domain and had my contact information.
- Once you receive notice that the certificates are ready, download them into the directory you created earlier. For GoDaddy, I received a zip file containing 2 files: a [server].crt (a randomly named file ending in .crt) and a gd_bundle.crt file
- Now we need to modify and upload these certs to Amazon. So log into the Amazon EC2 Management Console.
- Click on Load Balancers in the left hand column
- Click on the checkbox next to Load Balancer for your instance (it may be the only one).
- Click on the Listeners tab that appears at the bottom of the page
- Click on the Change link in SSL Certificate column for the HTTPS row.
- Click on Upload a new SSL Certificate button in the popup window that appears
- For the Certificate Name, enter any name you want to identify this certificate.
For Private key you need to get the text for the original host.key you created. Type the following command in your terminal window and copy the results from the terminal window into the Private Key field on Amazon.
$ openssl rsa -in host.key -text
- For the public key you need to convert the [server].crt file that you received into PEM format. Type the following command in your local terminal window (replace server.crt with the actual name of the server cert file you received) and copy the results into the Public Key Certificate field on Amazon.
$ openssl x509 -inform PEM -in server.crt
- Finally you need the certificate chain certification. The Amazon form says this is ‘optional’. It isn’t. Type this command in your local terminal window and copy the results into the Certificate Chain field on Amazon.
$ openssl x509 -inform PEM -in gd_bundle.crt;
- Click Save.
- Give the instance a minute or two to recognize the changes and reboot. If you now visit your site using https you should no longer get a warning about accessing an untrusted site.