AWS is a great platform for hosting web applications, but it can be challenging to set up SSL certificates on AWS. In this article, we’ll show you how to set up SSL certificates on AWS using load balancers. SSL certificates are important for secure web browsing. They help protect your website against attacks that try to steal your user’s data or login credentials. To set up SSL certificates on AWS, you first need to create a load balancer. A load balancer helps distribute traffic among multiple servers. You can then use the load balancer to route traffic to the servers that have the appropriate SSL certificate installed. To create a load balancer, first sign in to your AWS account and go to the EC2 console. In the EC2 console, select Load Balancers from the left-hand menu and click Create Load Balancer. Next, provide a name for your load balancer and choose an instance type from the list of options. You also need to choose an Amazon region from which your load balancer will operate. For this example, we’ll use the US East (N Virginia) region. Finally, select Enable Load Balancing and click Next. On the next page, you need to specify how your load balancer will handle requests. You can choose one of two options: Route all requests through the load balancer or allow specific traffic types through the load balancer (for example, HTTP requests). We’ll choose Route all requests through the load balancer because we want our SSL certificate to be available to all our web applications (not just specific traffic types). Click Next again and then Review Your Settings before clicking Create Load Balancing Rule。 Next you need to add an Amazon Web Services Certificate Authority (AWS CA) instance into your cluster by selecting Add Instance from the list of options on Route all requests throughLoad Balancing Rule。 You now have everything ..
What is an SSL Certificate?
SSL is the encryption method used to secure HTTPS connections, and if your site is encrypted with it, your user’s browsers will show the padlock symbol in the URL bar. An SSL certificate is required to use SSL, and you can get one from a Certificate Authority (CA). The CA acts as a third party to verify that your connection is legitimate and that you are who you claim to be (i.e., no one is trying to budge in on your connection).
There’s nothing stopping you from using LetsEncrypt with AWS EC2 instances, or even Load Balancers, but AWS’s certificates are more configurable, and work with other AWS services. For example, if you’re using AWS Cloudfront, you can use the same SSL certificate that you generate for the load balancer, without having to worry about renewing them individually.
RELATED: How Do LetsEncrypt’s Free HTTPS/SSL Certificates Work?
Create a New SSL Certificate From AWS Certificate Manager
For the purposes of this guide, we’ll assume you’re already using EC2 to some degree, and have a web server running. It doesn’t matter what type of web server you’re running, since the certificate will only be installed into the Load Balancer, but you’ll still need something behind it to serve content.
You’ll also need access to your domain name settings, both to add new records to verify your domain, and point your domain to the new Load Balancer once it’s done.
From the EC2 Management Console, click “Services” in the top bar and search for “certificate.” Open the Certificate Manager.
Click on “Get Started” under “Provision Certificates.”
This certificate will be used for securing connections over the internet, so it should be public. Select “public” and click “Request.”
Now you can add your domain name to the certificate. AWS certificates support wildcards, so it might be useful to include “*.yourdomain.com” as well, to secure any subdomains you may have. Add any domain you need, then click “Next.”
Now, you’ll need to verify your domain. AWS offers two types of verification: DNS, and Email.
DNS will require you to add a CNAME record to your domain name. If you’re using AWS Route 53 as your DNS provider, this is easy, but if you’re using something else, the process can take hours to verify.
Email only takes a few minutes. AWS will send an email to the registered WHOIS contact, as well as “admin@yourdomain.com” and a few other common webadmin emails. If you don’t have private email for your domain, you can usually set up email forwarding to a public Gmail account from your registrar’s settings, which will work just as well.
If you’re going with DNS verification, copy the “Name” and “Value” from the domain dropdown. If you’re verifying multiple domains, check if the values are different, as you may have to verify them individually.
From your DNS provider’s settings, add a new CNAME record, and paste the name and value into the form (this interface will vary depending on your provider).
While DNS only takes a few minutes to propagate, AWS may take a few hours to validate the domain, so maybe grab some lunch. If you’re using email verification, it should only take a few minutes after clicking the link in your email.
Once it’s done, you should see the orange “Pending validation” switch to a green “Issued.” You won’t have to download anything; the certificate is automatically usable in other AWS services.
Set Up a Load Balancer With Your New Certificate
Once the certificate is made, it’s ready to be installed into a Load Balancer. AWS Load Balancers work like proxies with multiple endpoints, able to forward traffic from one public IP address to many private IP addresses, and balance the load between them.
We will set one up to listen on the public HTTPS port 443, and forward traffic to port 443 on your web server. The web server port can be different, like port 8080, since the connection between load balancer and web server is internal, but we’re assuming your web server already has port 443 open. If not, you’ll need to open it from your EC2 instance’s security rules.
From the EC2 Management Console, scroll down the sidebar to find “Load Balancers” and click “Create Load Balancer.”
There are a few types of Load Balancer that work at different levels, but for simplicity we’ll choose “Application Load Balancer,” which balances basic HTTP and HTTPS.
From the options, give it an internal name, and add an HTTPS listener. It should default to port 443, the standard for HTTPS.
Click next to go to “Configure Security Settings” and you’ll be presented with an option to choose a certificate (or upload your own, if you’re using a different SSL service). Select “Choose a certificate from ACM,” and select your certificate from the dropdown. If you don’t see it, try hitting the green refresh icon, and if it still isn’t there, you should check your settings in the Certificate Manager.
Click next to go to “Configure Security Groups,” and make a new security group. It will default to having port 80 and 443 open, which is what you likely want.
Click next to go to “Configure Routing,” and enter an internal name for the target group. Make sure the protocol is set to HTTPS.
Click next to go to “Register Targets,” and enter the private IP address of your EC2 instance(s), which you can find from the EC2 Management Console. If you entered them correctly, the interface should show the instance ID and the zone it’s in.
Click next to go to the review, and if everything looks good, click “Create” to set up your Load Balancer.
Go back to the EC2 Management Console and click the Load Balancers tab. It will take a few minutes, but once your balancer is set up you will be able to copy the DNS address. The actual IP address of your Load Balancer will change, but the DNS address will always point to it.
You’ll want to replace your existing IP your domain name with this address, so that visitors will be pointed towards your Load Balancer, which will secure the connection and point them towards your EC2 web server (or servers).
