Amazon offers free SSL certificates for use with many of their services. If you already use EC2 for web hosting, you can add a Load Balancer in front of your server to secure your traffic via HTTPS.
What is an SSL Certificate?
SSL is the encryption method used to secure HTTPS connections, and if your website is encrypted with it, the user̵7;s browser will display the padlock symbol in the URL field. An SSL certificate is required to use SSL, and you can obtain one from a Certificate Authority (CA). CA acts as a third party to verify that your connection is legitimate and that you are who you claim to be (that is, no one is trying to compromise your connection).
Many certifiers charge hundreds of dollars for certificates, but you can get them for free from a few locations. Amazon Web Services offers them for free if you use their Load Balancers, but Load Balancers themselves cost $ 16 + per month. If this is not an option, you can still get free SSL certificates from LetsEncrypt, which you need to install manually on your web server.
There is nothing stopping you from using LetsEncrypt with AWS EC2 instances or even Load Balancers, but AWS certificates are more configurable and work with other AWS services. For example, if you use AWS Cloudfront, you can use the same SSL certificate that you generate for the load balancer without having to worry about renewing them individually.
RELATED: How does LetsEncrypt free HTTPS / SSL certificate work?
Create a new SSL certificate from AWS Certificate Manager
In this guide, we assume that you are already using EC2 to some extent and have a web server running. It does not matter what type of web server you are running, as the certificate will only be installed in Load Balancer, but you will still need something behind it to serve content.
You also need access to your domain name settings, both to add new records to verify your domain and to point your domain to the new Load Balancer when it’s done.
From the EC2 Management Console, click “Services” in the top bar and search for “Certificates.” Open the Certificate Manager.
Click “Get Started” under “Providing Certificates.”
This certificate will be used to secure internet connections, so it should be public. Select “public” and click “Request”.
You can now add your domain name to the certificate. AWS certificates support wildcards, so it may be useful to include them
"*.yourdomain.com" also to secure all the subdomains you have. Add which domain you need and then click “Next”.
Now you need to verify your domain. AWS offers two types of authentication: DNS and email.
DNS requires you to add a CNAME record to your domain name. Using AWS Route 53 as your DNS provider is easy, but using something else can take hours to verify.
Email only takes a few minutes. AWS sends an email to the registered WHOIS contact, as well
"firstname.lastname@example.org" and some other common email addresses. If you do not have private email for your domain, you can usually set up email forwarding to a public Gmail account from your registrar settings, which works just as well.
If you go with DNS authentication, copy “Name” and “Value” from the domain drop-down menu. If you are verifying multiple domains, check if the values are different, as you may need to verify them individually.
From your DNS provider’s settings, add a new CNAME record and paste the name and value into the form (this interface varies depending on your provider).
While DNS only takes a few minutes to spread, AWS can take a few hours to validate the domain, so maybe take some lunch. If you use email verification, it should only take a few minutes after you click on the link in your email.
When done, you should see the orange “Pending Validation” change to a green “Issued.” You do not need to download anything; the certificate can be used automatically in other AWS services.
Set up a load balancer with your new certificate
Once the certificate has been made, it is ready to be installed in a load balance. AWS Load Balancers act as proxy servers with multiple endpoints, which can forward traffic from one public IP address to many private IP addresses and balance the load between them.
We set one up to listen to the public HTTPS port 443 and forward traffic to port 443 on your web server. The web server port may be different, such as port 8080, because the connection between load balancer and web server is internal, but we assume that your web server already has port 443 open. If not, you need to open it from your EC2 instance security rules.
From the EC2 Management Console, scroll down the sidebar to find “Load Balancers” and click “Create Load Balancer.”
There are some types of Load Balancer that work on different levels, but for simplicity we choose “Application Load Balancer”, which balances basic HTTP and HTTPS.
From the options, give it an internal name and add an HTTPS listener. It should be standard to port 443, the standard for HTTPS.
Click next to go to “Configure security settings” and you will have the option to select a certificate (or upload your own if you use another SSL service). Select “Select a certificate from ACM” and select your certificate from the drop-down menu. If you do not see it, try tapping the green update icon, and if it is still not there, check your Certificate Manager settings.
Click next to go to “Configure Security Groups” and create a new security group. It will by default have ports 80 and 443 open, which is what you probably want.
Click next to go to “Configure Routing” and enter an internal name for the target audience. Make sure the protocol is set to HTTPS.
Click next to go to “Register Target” and enter private IP address of your EC2 instances that you find from the EC2 Management Console. If you entered them correctly, the interface should display the instance ID and the zone it is located in.
Click next to go to the review, and if everything looks good, click “Create” to set your Load Balancer.
Go back to the EC2 Management Console and click on the Load Balancers tab. It takes a few minutes, but once your balancer is set up, you can copy the DNS address. The actual IP address of your Load Balancer will change, but the DNS address will always point to it.
You want to replace your existing IP your domain name with this address so that visitors are pointed to your Load Balancer, which will secure the connection and point them towards your EC2 web server (or servers).
The same certificate works with many other AWS services; for example, if you registered
*.yourdomain.com with the certificate you could serve S3 content via Cloudfront on
media.yourdomain.com with the same certificate. You can not download them manually, so they are always locked to AWS services and managed by Amazon.