Holistic Guide to Install an SSL Certificate on Amazon EC2, Apache, and Linux CentOS
Website security begins by securing the server because it provides users with the data they are searching for. Especially the communication between browsers and servers needs to be secure so that if users interact with the website, their data is secure. One way to secure a server is to install an SSL certificate.
Why install an SSL certificate?
SSL certificates encrypt the data on the server and scramble it, which is unreadable for cyber attackers. The intended recipient can use a security key to decrypt it. So, if you install an SSL certificate on your web server, the data access for users becomes secure. However, the process for installation of SSL certificates can differ based on the type of server you are using.
For example, if you are installing an SSL certificate on an Amazon EC2 instance, you need to connect the instance and install it. On the other hand, you need a MOD SSL installed in Apache or Linux to install an SSL certificate.
This guide focuses on installing SSL certificates for Amazon EC2, Apache, and Linux CentOS. First, let us understand the process of getting an SSL certificate for your web server.
How to Get an SSL Certificate for Your Website?
You can buy SSL certificates from leading authorized resellers or certificate authorities (CAs) like DigiCert, Comodo, Sectigo, and more. The first step to getting the SSL certificate is to choose the suitable type and generate a Certificate Signing request (CSR).
You must submit CSR to CA with all the required business details like location, registration information, etc. After that, you need to complete the configuration process. Once the CA will verify it, the authority issues an SSL certificate for your web server.
Now that we know how to get an SSL certificate, let us discuss the installation process for Amazon EC2 instances, Linux CentOS, and Apache servers.
Steps to Install SSL Certificate on Amazon EC2 Instances
If you want to install an SSL certificate on EC2 instances, a CSR and private key generation are crucial. To create CSR on your Amazon EC2 server, you can use OpenSSL commands within your EC2 server.
The first step to generating CSR and the private key is to connect to your EC2 instance. There are many different approaches to connect instances. For example, the steps involved in connecting the instances from a Windows machine differ from macOS.
However, you can use AWS Systems Manager to connect with the Linux instances or use EC2 Instance Connect. An effective way is to use an instance fingerprint. You may be prompted to verify the fingerprint when you connect with an instance.
So, how to get a fingerprint for your instances?
To get your instance fingerprint,
- Use the console on your local computer and input the following AWS CLI command to obtain a fingerprint, aws ec2 get-console-output --instance-id instance_id --output text > temp.txt
Please note that you need to be the instance owner to get the desired console output. The following output shows the instance fingerprint you will get executing the AWS CLI command,
ec2:
#############################################################
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 SHA256:7HItIgTONZ/b0CH9c5Dq1ijgqQ6kFn86uQhQ5E/F9pU root@ip-10-0-2-182 (DSA)
ec2: 256 SHA256:l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY root@ip-10-0-2-182 (ECDSA)
ec2: 256 SHA256:kpEa+rw/Uq3zxaYZN8KT501iBtJOIdHG52dFi66EEfQ no comment (ED25519)
ec2: 2048 SHA256:L8l6pepcA7iqW/jBecQjVZClUrKY+o2cHLI0iHerbVc root@ip-10-0-2-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
ec2:
#############################################################
Once your EC2 instance is connected, go to the server’s private key store through “/etc/pki/tls/private/.” Now generate a new 2048-bit RSA private key, and run the following command,
[ec2-user ~]$ sudo openssl genrsa -out custom. essentialNow, you can use the private key to generate CSR for Amazon EC2 instances and submit it to a certificate authority to get an SSL certificate. Run the following command for CSR generation from the private key,
[ec2-user ~]$ sudo openssl req -new -key custom.key-out csr. pemA new window will open where you need to fill in the following details
Country (2-letter ISO abbreviation)
- State/Province (full name)
- Locality (city or region)
- Organization Name (full legal name)
- Common Name (domain name or public IP address)
Next, OpenSSL will ask for a password that you can set. Once you provide the passphrase, CSR will be generated as a .pem file.
Open CSR in a Notepad, copy the complete code, including the header and footer, and paste it into your SSL submission form. CA will review the details, validate it and issue an SSL certificate sent through a bundle via email.
Download the certificate files from the CA bundle received by email. You need a server certificate, an intermediate certificate, and a private key to install SSL on AWS EC2. The next step is to save these files in a directory on the EC2 instance.
Save certificate files to the “/etc/pki/tls/certs” directory. Open certificate files in a note page, copy the entire file content and paste it on a notepad in EC2 instance. You will need root [sudo] permissions to access Notepad on EC2 instances and paste certificate file content.
To install an SSL certificate on AWS, checking and configuring the file permission settings becomes crucial. It provides insights into file permission settings for application publishers, teams, and read/write permissions.
Check whether the above permission settings for owner, group and read/write access matches the default setting with the following commands,
[ec2-user certs]$ sudo chown root: root custom.crt
[ec2-user certs]$ sudo chmod 600 custom.crt
[ec2-user certs]$ ls -al custom.crtIt will result in the following output,
-rw------- root root custom.crtSimilarly; you can check the settings for an intermediate certificate using the following commands,
[ec2-user certs]$ sudo chown root:root inter.crt
[ec2-user certs]$ sudo chmod 644 inter.crt
[ec2-user certs]$ ls -al inter.crtIt will provide the following output,
-rw-r--r-- root root inter.crt
To save the private key file downloaded from the CA bundle, go to the directory- “/etc/pki/tls/private/.” Open the private key file content on a Notepad, copy, and paste it into the directory’s text editor.
You can check the file permissions for the private key by using the below command,
[ec2-user private]$ sudo chown root: root custom.key
[ec2-user private]$ sudo chmod 600 custom.key
[ec2-user private]$ ls -al custom. key
Your certificate configuration file may be located in ” /etc/httpd/conf.d/ssl.conf. “
- To configure the SSL certificate for AWS EC2 instances, you need to provide the path and file name of the server certificate in the SSLCertificateFile directive. In this example, the server certificate is named my. crt.
SSLCertificateFile /etc/pki/tls/certs/my.crt
- For the SSLCACertificateFile directive, specify the path and filename of the intermediate CA Certificate (e.g., inter. crt).
SSLCACertificateFile /etc/pki/tls/certs/inter.crt
- Enter the file path and name of the private key in the SSLCertificateKeyFile directive
SSLCertificateKeyFile /etc/pki/tls/private/my.key
- Save the configuration file to /etc/httpd/conf.d/ssl.conf.
- Restart the server with this command:
[ec2-user ~]$ sudo systemctl restart httpd
- To test the SSL certificate installation, go to your domain using the HTTPS:// protocol prefix.
Note: If the SSL has been installed, your page will load securely over HTTPS and see the standard SSL padlock indicator.
To install SSL certificate, you need to generate CSR for Linux through OpenSSL or CSR generation too. Once you generate CSR, submit it to CA, and an SSL certificate will be issued. Installing an SSL certificate on Linux Cent OS requires a module called mod_ssl.
Use the following command to check if mod_ssl is installed on your system,
rpm -qa | grep mod_sslIf not installed, use the following command to install mod_ssl,
dnf install mod_ssl
A certificate chain includes a private key with root, intermediate, and server certificates.
cat pub-key.pem ca-chain.pem > full-chain.pemStore the .pem file containing the SSL certificate chain in “/etc/pki/tls/certs,” and the private key in the “/etc/pki/tls/private/” directory on your Apache server:
You can further restrict access to your private key by using the following command,
chmod -R 600 /etc/pki/tls/private/
Place the following code block in the configuration file of your domain,
SSLEngine, on
# The path to the SSL certificate chain
SSLCertificateFile /etc/pki/tls/certs/full-chain.pem
# The path to the private key
SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
# The path to the content of your website.
AllowOverride All
# The path to the content of your website
DocumentRoot/var/www/mydomain.com
# Domain name of website
ServerName mydomain.com
ServerAlias mydomain.com
Replace mydomain.com with the actual domain name. If you don’t have a configuration file, you can use the nano command and specify the path to the file to create one. You can run the command "nano /etc/httpd/conf.d/mydomain.conf" to create the file for your domain.
Once you have created the file, save it and move it into the appropriate directory using the command "mv /path/to/mydomain.conf /etc/httpd/conf.d/".
With this configuration file in place, you can make any necessary changes to your server settings and ensure your website runs smoothly.
You must edit your Apache configuration file to add HTTPS redirects to your .conf file. Once you have located the configuration file, open it in a text editor and add the following lines:
ServerName mydomain.com
ServerAlias www.mydomain.com
Redirect"/" "https://mydomain.com/"
Save the changes and close the file. Then, restart Apache for the changes to take effect.
After you have added the redirects, all HTTP requests to your domain will be redirected to HTTPS. This will help improve your website's security and protect visitors' data.
Save the configuration changes, close the file, and restart the Apache server using the following command,
systemctl restart httpdSteps to Install SSL Certificate on Apache
CSR generation for the Apache server is the same as for the Linux server. Once you get the certificate files after the submission of CSR, find the Apache configuration file (httpd. conf).
The name and location of the configuration file can vary depending on the server and interface used for server configuration management.
Apache's main configuration file is usually named httpd. conf or apache2.conf and can be found in locations such as /etc/httpd/ or /etc/apache2/. For a comprehensive list of default installation layouts for Apache HTTPD on different operating systems and distributions, please refer to the Httpd Wiki - DistrosDefaultLayout.
The SSL certificate configuration is commonly located in a separate configuration file under directories like /etc/httpd/vhosts.d/, /etc/httpd/sites/, or in a file named httpd-ssl.conf, within a <VirtualHost> block.
One way to locate the SSL Configuration is to search using grep. Use the following command to locate the configuration file,
grep -i -r "SSLCertificateFile" /etc/httpd/Replace /etc/httpd/ with the base directory. Please locate the SSL <VirtualHost> block that requires configuration. Configure the <VirtualHost> block as per below example,
<VirtualHost 192.168.0.1:443>
DocumentRoot /var/www/html2
ServerName www.mydomain.com
SSLEngine on
SSLCertificateFile /path/to/my_domain_name.crt
SSLCertificateKeyFile /path/to/my_private.key
SSLCertificateChainFile /path/to/CA.crt
</VirtualHost>Now, test your Apache configuration file for any errors before restarting the server by running the following command
apachectl configtestRestart the server and check if the SSL certificate is working.
Conclusion
Securing your servers is crucial to protect your website against cyber threats like man-in-the-middle attacks and others. When you install an SSL certificate, not only does the website protection get a boost, but your search engine rankings also surge because HTTPS is a key ranking factor for many search engines. However, the steps for installation of an SSL certificate can vary based on operating systems.
