Oliver Nassar

Installing SSL on AWS EC2

April 09, 2011

Thought it could be helpful to document my process for installing an SSL certificate for a subdomain (not wildcard) on a LAMP stack (which happens to be an EC2 instance on AWS). Worth noting is this is not going through a load balancer or firewall, whereby further considerations may be required. The following is my flow.

Step 1: OpenSSL CSR Creation

The first step was to create the CSR file that is used in the purchasing of the certificate. I used the OpenSSL CSR Creation tool, which acts like a wizard for creating a "Certificate Signing Request" file.

This wizard basically gives you a shell command you need to execute; something like:

openssl req -new -newkey rsa:2048 -nodes -out subdomain_domain_com.csr -keyout
subdomain_domain_com.key -subj "/C=US/ST=Texas/L=Las
Colinas/O=Initech/OU=HR/CN=subdomain.domain.com"

Executing that will create two files; subdomain_domain_com.csr and subdomain_domain_com.key. The CSR file is used to purchase in the following step; the KEY file is used in securing your server by signing it with the key/string contained in it.

Step 2: Certificate Purchasing

The flow is going to be different for everyone depending on how you purchase it, but you will provide the CSR file you created in the previous step.

Your provider will respond with a CSR file of their own, which contains a string/key/passphrase in it. You will use this in your Apache configuration.

Depending on your provider, you may also be asked to install a Chain Certificate file. This is just an extra declaration in your virtual host (discussed below), so it's not more complicated really.

Step 3: Installing the certificate

You now have 2 files (or 3 if you were given a chain certificate as well) with strings in them. To setup your virtual host, use the following as an example:

<VirtualHost *:443>
    ServerName subdomain.domain.com
    DocumentRoot /var/www/project/webroot
    SSLENGINE on
    SSLCertificatekeyFile /etc/apache2/keys/subdomain_domain_com.key
    SSLCertificateFile /etc/apache2/crts/subdomain_domain_com.crt
    SSLCertificateChainFile /etc/apache2/crts/chain.crt
</VirtualHost>

Worth noting here, is that the original CSR file that was created via the openssl command isn't required. It was only needed when purchasing the certificate originally. The subdomain_domain_com.crt file being referenced above is the file that the certificate authority provided.

Also, originally I had the virtual host operating on port 80, which led to the error message:

Invalid method in request x16x03

Switching this to 443 resolved the issue. As I understand it, that error arrises (naturally) when the browser is attempting to speak securely with a server, but the server is responding unsecured. Makes sense.

The article How is the L1C Chain Certificate installed in Apache (OpenSSL) helped tremendously as a starting point. I'll follow up with more details if something else comes to light, but it was a nice learning experience seeing as it's the first time I've installed an SSL certificate.