Amazon offers free SSL certificates to use with many of their services. If you are already using EC2 for web hosting, you can add a Load Balancer in front of your server to secure your traffic over HTTPS.
What is an SSL certificate?
SSL is the encryption method used to secure HTTPS connections, and if your site is encrypted with it, your users’ browsers will display the padlock symbol in the URL bar. An SSL certificate is required to use SSL, and you can obtain one from a certificate authority (CA). The CA acts as a third party to verify that your connection is legitimate and that you are who you say you are (i.e. no one is trying to switch connections).
Many CAs charge hundreds of dollars for certificates, but you can get them for free from a few places. Amazon Web Services offers them for free if you use their load balancers, but the load balancers themselves cost $ 16 + per month. If this is not an option, you can still get free SSL certificates from LetsEncrypt, which you will need to manually install on your web server.
Nothing prevents you from using LetsEncrypt with AWS EC2 instances, or even load balancers, but AWS certificates are more configurable and work with other AWS services. For example, if you use AWS Cloudfront, you can use the same SSL certificate that you build for the load balancer, without having to worry about renewing them individually.
Create a New SSL Certificate from AWS Certificate Manager
For the purposes of this guide, we’ll assume that you are already using EC2 to some extent and that you have a running web server. It doesn’t matter what kind of web server you are running because the certificate will only be installed in the load balancer, but you will still need something behind it to serve content.
You will also need to access your domain name settings, both to add new records to validate your domain and to point your domain to the new load balancer when done.
In the EC2 Management Console, click “Services” on the top bar and search for “certificate”. Open the certificate manager.
Click “Get Started” under “Provide Certificates”.
This certificate will be used to secure connections over the Internet, so it should be public. Select “public” and click on “Request”.
You can now add your domain name to the certificate. AWS certificates support wildcards, so it might be helpful to also include “* .yourdomain.com” to secure any subdomains you might have. Add the domain you need, then click “Next”.
You will now need to validate your domain. AWS offers two types of verification: DNS and email.
DNS will ask you to add a CNAME record to your domain name. If you use AWS Route 53 as a DNS provider it is easy, but if you are using something else it may take hours to verify the process.
Email only takes a few minutes. AWS will send an email to the registered WHOIS contact, along with “email@example.com” and a few other common web administrator emails. If you don’t have private email for your domain, you can usually configure email forwarding to a public Gmail account from your registrar settings, which will work just as well.
If you opt for DNS verification, copy the “Name” and “Value” from the domain drop-down list. If you are checking multiple domains, check if the values are different, as you may need to check them individually.
From your DNS provider settings, add a new CNAME record and paste the name and value into the form (this interface varies depending on your provider).
While DNS only takes a few minutes to propagate, AWS can take a few hours to validate the domain, so maybe grab some lunch. If you are using email verification, it should only take a few minutes after clicking the link in your email.
Once this is done, you should see the orange “Pending validation” button turn green “Issued”. You don’t have to download anything; the certificate is automatically usable in other AWS services.
Configure a load balancer with your new certificate
Once the certificate is created, it is ready to be installed in a load balancer. AWS Load Balancers function as proxies with multiple endpoints, capable of forwarding traffic from one public IP address to many private IP addresses and balancing the load between them.
We will configure one to listen on public HTTPS port 443 and forward traffic to port 443 on your web server. The web server port might be different, like port 8080, because the connection between the load balancer and the web server is internal, but we are assuming that your web server already has port 443 open. Otherwise, you will need to open it from the security rules of your EC2 instance.
In the EC2 Management Console, scroll down the sidebar to find “Load Balancers” and then click “Create Load Balancer”.
There are a few types of load balancers that work at different levels, but for simplicity we will choose “Application Load Balancer,” which balances HTTP and HTTPS bases.
In the options, give it an internal name and add an HTTPS listener. It should default to port 443, the standard for HTTPS.
Click Next to go to “Configure security settings” and you will be presented with an option to choose a certificate (or upload your own, if you are using another SSL service). Select “Choose a certificate from ACM” and select your certificate from the drop-down list. If you don’t see it, try tapping the green refresh icon, and if it’s still not there, you should check your settings in Certificate Manager.
Click Next to go to “Configure Security Groups” and create a new security group. By default, ports 80 and 443 will be open, which is what you probably want.
Click on next to go to “Configure Routing” and enter an internal name for the target group. Make sure the protocol is set to HTTPS.
Click next to go to “Register Targets”, then enter the private IP address of your EC2 instance (s), which you can find from the EC2 management console. If you entered them correctly, the interface should display the instance ID and the zone in which it is located.
Click next to go to the exam, and if everything looks correct, click “Create” to configure your load balancer.
Return to the EC2 management console and click the Load Balancers tab. It will take a few minutes, but once your balancer is configured you will be able to copy the DNS address. The actual IP address of your Load Balancer will change, but the DNS address will still point to it.
You will want to replace your existing IP address with your domain name with this address, so that visitors are directed to your Load Balancer, which will secure the connection and direct them to your EC2 web server (s).
This same certificate will work with many other AWS services; for example, if you registered * .yourdomain.com with the certificate, you will be able to serve S3 content through Cloudfront on media.yourdomain.com using the same certificate. You cannot download them manually, so they will always be locked to AWS services and managed by Amazon.