How to install an SSL certificate on Amazon EC2 Linux AMI

How to install an SSL certificate on Amazon EC2 Linux AMI

Hey guys I’m back with a new article about installing an SSL certificate on Amazon EC2 Linux AMI 64 bit. It’s quite easy to install SSL certificates on cPanel or managed hosting, but when you are hosted on Amazon EC2 you are the manager, developer, maintainer and Superman behind your blog or website if you are alone doing all the stuff. I installed an SSL certificate on my blog and one another website of mine just a few months ago with a lot of confusions and struggle because of lack of details I could find on web. There are articles about installing SSL on apache but trust me they are all different in one or other way specially when installing on EC2.

I had to figure out 80% of the work on my own from enabling apache for SSL to successfully activate SSL on my WordPress blog. I will not discuss the need for SSL in this article as you can find it on google easily. This website is also having an SSL certificate; look at the address bar with a green lock icon. Let’s just start our work quick and easy. I have created a video guide following this article, you can watch the video below or follow along this article.

How to install an SSL certificate on Amazon EC2 Linux AMI

I’m listing each and every step to avoid any error occurring in the server configuration. Please follow slowly and be patience, don’t go away it is very easy.

What I am using

  1. Amazon EC2 Linux AMI 64x
  2. Free SSL certificate from StartCom.Get a free SSL Certificate from StartSSL
  3. Ubuntu

Preparing files we need

When you have an SSL certificate, you will be having a few files with you, Please make sure you have below files.

  1. ssl.crt
  2. sub.class1.server.ca.pem
  3. private.key (decrypted version of ssl.key )

Please refer below article for more details.

Get your free SSL certificate from StartSSL

Installing Certificate

Login to your Amazon Linux AMI with your favorite tool, here I’m using Ubuntu terminal to log into my EC2. Upload the certificate files we generated above to your home directory, I’m using WinSCP to upload files to my EC2.

Placing our files in proper directory

You can put your certificate files in any directory but remember the path to the files, which is required to edit configuration files. We will put all certificate files in conf directory in this article.

Type in bellow commands to copy your certificate files to conf directory. (Make sure your files are in root directory)


sudo cp private.key /etc/httpd/conf/private.key

sudo cp ssl.crt /etc/httpd/conf/ssl.crt

sudo cp sub.class1.server.ca.pem /etc/httpd/conf/sub.clashs1.server.ca.pem


Check if SSL module is installed (if you are not sure)

Type this command,

ls -l /etc/httpd/conf.d

A list of files will be listed, if you see a file named ssl.conf then you are good to move to section Editing ssl.conf file down, else follow along the way.

If ssl.conf is not there in the directory then you need to install ssl module to apache which is by default not enabled in some installations. Type the below command in your EC2 to install ssl module.

sudo yum install mod_ssl

If you have installed httpd24 in your EC2 you will get httpd24 conflict with httpd ….. ERROR message, then type below command instead.

sudo yum install mod24_ssl

Editing ssl.conf file

Change your current directory to conf.d by typing below command.

cd /etc/httpd/conf.d

Now when you are inside conf.d directory and our ssl.conf file exist in this directory edit this file with your favorite editor. I’m using nano editor for easy editing the files.

Type in below command to edit ssl.conf file

sudo nano ssl.conf

You will see an editor like the one shown in below image.

800x400

press ctrl + w (to enter search mode.)

Type sslcertificatefile and press Enter

Again press ctrl + w and press enter to search next instance of the matched string. Repeat the process till you see a section as displayed below. (Around 2 – 3 searches)

800x400

# is a comment in configuration files and we need to comment out the below line. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt (insert one # at starting, see in above image) Now press ctrl + w and write SSLCertificateKeyFile (press enter)

Repeat the process I mentioned above to find the section displayed in below image.

800x400

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ( insert one # at starting, see in above image) Now press ctrl + w and write SSLCertificateChainFile (press enter)

Find line #SSLCertificateChainFile /[do not care]/usually/path/to/file

Here the line #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt is already commented, if not then add a # and comment it out. See image from below section for better reference.

All necessary changes are done at this moment and we will add our certificate details in this step now.

You are now at this line #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Below this line add the following lines without # at beginning.

SSLCertificateFile /etc/httpd/conf/ssl.crt

SSLCertificateKeyFile /etc/httpd/conf/private.key

SSLCertificateChainFile /etc/httpd/conf/sub.class1.server.ca.pem

See below image for better reference.

800x400

Finale change in configuration file

Press ctrl + w and type ssl cipher suite

You will find a section as shown in below image. Make changes as highlighted in below image. Add below line as shown in image below.

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

800x400

Now type ctrl + x, when prompted press y and then just press enter to save the file.

Test the configuration we did above

In command line type below command to test the configuration file.

apachectl -t

If there are any errors, solve them by referring the line number. Make sure file paths are correct. If you have stored certificate files somewhere else then make the changes in file paths accordingly.

If status is OK. You are good to go ahead and restart your server.

sudo service httpd restart

Your server is ready to serve over https, try accessing your website with https. If your website is not working with https try refreshing for several times and if you are using any CDN then make sure it supports https.

If you are setting up SSL for your WordPress blog, you need to enter https version of address in your general settings WordPress URL and Site URL.

If you get into any trouble feel free to comment below.



© 2017. All rights reserved.