Amazon offers free SSL Certificates for use with many of its services. If you’re already using EC2 for web hosting, you can add a load balancer in front of your server to secure your traffic over HTTPS.
What is an SSL Certificate?
SSL is the encryption method used to secure HTTPS connections. If your site is encrypted with it, your user̵
Many CAs charge hundreds of dollars for certificates, but you can get them for free at some places. Amazon Web Services offers them for free if you use their load balancers. However, the load balancers themselves cost more than $ 16 per month. If this is not an option, you can still get free SSL certificates from LetsEncrypt which you will have to manually install on your web server.
Nothing prevents you from using LetsEncrypt with AWS EC2 instances or even load balancers, but the AWS certificates are more configurable and work with other AWS services. For example, if you are using AWS Cloudfront, you can use the same SSL certificate that you generated for the load balancer without having to worry about individual renewal.
CONNECTED: How do LetsEncrypt’s free HTTPS / SSL certificates work?
Create a new SSL certificate through AWS Certificate Manager
For the purposes of this guide, it is assumed that you have some degree of use of EC2 and that you are running a web server. It doesn’t matter what type of web server you are running, as the certificate is only installed in the load balancer, but you still need something behind it to serve content.
You will also need access to your domain name settings to add new records to validate your domain and to point your domain to the new load balancer when the process is complete.
In the EC2 Management Console, click Services on the top bar and search for Certificate. Open the Certificate Manager.
Under Deployment Certificates, click Get Started.
This certificate is used to secure connections over the Internet and should therefore be public. Select “Public” and click “Request”.
Now you can add your domain name to the certificate. AWS certificates support wildcards, so it can be helpful to include them
"*.yourdomain.com" also to secure any subdomains. Add any domain and click “Next”.
Now you need to check your domain. AWS offers two types of verification: DNS and email.
With DNS, you need to add a CNAME record to your domain name. If you’re using AWS Route 53 as your DNS provider, it’s easy to do. However, if you’re using something else, it can take hours to verify.
Email only takes a few minutes. AWS sends an email to the registered whois contact as well
"firstname.lastname@example.org" and a couple of other popular web admin emails. If you don’t have private email for your domain, you can usually set up email forwarding to a public Gmail account through your registrar’s settings. This works just as well.
When you start DNS verification, copy the “Name” and “Value” from the Domain drop-down list. If you are checking multiple domains, check to see if the values are different as you may need to check them one by one.
Add a new CNAME record in the settings of your DNS provider and paste the name and value into the form (this interface depends on your provider).
While DNS propagation takes minutes, domain validation on AWS can take a few hours. So maybe have some lunch. If you’re using email verification, it should only take a few minutes after you click the link in your email.
As soon as this is done, the orange button “Pending Validation” should be switched to a green “Issued”. You don’t need to download anything. The certificate can automatically be used in other AWS services.
Set up a load balancer with your new certificate
Once the certificate has been created, it can be installed in a load balancer. AWS Load Balancers work like proxies with multiple endpoints, can route traffic from a public IP address to many private IP addresses and split the load between them.
We’ll set one up to listen on HTTPS public port 443 and forward traffic to port 443 on your web server. The web server port can be different from port 8080 because the connection between the load balancer and the web server is internal. However, we assume that port 443 is already open on your web server. If not, you need to open it through the security rules of your EC2 instance.
In the EC2 admin console, scroll down the sidebar to find Load Balancers and click Create Load Balancer.
There are several types of load balancers that work at different levels. For the sake of simplicity, however, we choose “Application Load Balancer” which balances basic HTTP and HTTPS.
Enter an internal name in the options and add an HTTPS listener. By default, port 443 should be used, the standard for HTTPS.
Click “Next” to go to “Configure Security Settings”. You can then choose a certificate (or upload your own if you’re using a different SSL service). Select “Select ACM’s Certificate” and select your certificate from the drop-down list. If you don’t see it, click the green update icon. If it still doesn’t, you should check your settings in Certificate Manager.
Click Next to go to Configure Security Groups and create a new security group. By default, ports 80 and 443 are open, which is what you probably want.
Click Next to go to Configure Routing and enter an internal name for the target group. Make sure the protocol is set to HTTPS.
Click Next to go to Register Destinations and enter that private IP address Your EC2 instance (s), which you can find in the EC2 management console. If you typed them correctly, the interface should display the instance ID and the zone it is in.
Click Next to go to the review. If everything looks good, click Create to set up your load balancer.
Return to the EC2 management console and click the Load Balancers tab. It will take a few minutes, but once your balancer is set up you can copy the DNS address. Your load balancer’s actual IP address will change, but the DNS address will always point to it.
You want to replace your existing IP address and domain name with this address so that visitors will be directed to your load balancer, which will secure the connection and point them to your EC2 web server (or servers).
The same certificate works with many other AWS services. For example, if you have registered
*.yourdomain.com With the certificate you can provide S3 content via Cloudfront at
media.yourdomain.com with the same certificate. You cannot download them manually, so they will always be blocked from AWS services and managed by Amazon.