The following instructions will guide you through the SSL installation process on Amazon EC2 Server (AWS). If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our Amazon EC2 Server CSR Generation Instructions before going through the steps below.

What You Need

1. Your server certificate

This is the certificate you received from the CA for your domain. You may have been sent this via email. If not, you can download it by visiting your Account Dashboard and clicking on your order.

2. Your intermediate certificates

These files allow the devices connecting to your server to identify the issuing CA. There may be more than one of these certificates. If you got your certificate in a ZIP folder, it should also contain the Intermediate certificate(s), which is sometimes referred to as a CA Bundle. If not, download the appropriate CA Bundle for your certificate.

3. Your private key

This file should be on your server, or in your possession if you generated your CSR from a free generator tool. 

1. Connect to your EC2 Instance

For instructions on how to connect to your instance, check Amazon's guide here.

2. Save Certificates to EC2 Certificate Directory

Navigate to the /etc/pki/tls/certs directory and save the server certificate and CA intermediate certificate files here.

The simplest way to upload the certificate into the directory is to open each certificate in a text editor, like Notepad, on your local computer. Then, open Notepad on your EC2 instance, and copy and paste the contents of each certificate to the EC2 Notepad. This method requires root [sudo] permissions. 

3. Check File Permission Settings

Use the following commands to check that the server certificate file ownership, group, and permission settings match Amazon Linux 2 defaults (owner=root, group=root, read/write for owner only). 

[ec2-user certs]$ sudo chown root:root custom.crt
[ec2-user certs]$ sudo chmod 600 custom.crt
[ec2-user certs]$ ls -al custom.crt

These commands should yield this result:

-rw------- root root custom.crt

You should also check the intermediate certificate file permissions, which are less strict. Run these commands:

[ec2-user certs]$ sudo chown root:root intermediate.crt
[ec2-user certs]$ sudo chmod 644 intermediate.crt
[ec2-user certs]$ ls -al intermediate.crt

These commands should yield this result:

-rw-r--r-- root root intermediate.crt

4. Place Private Key in Private Key Directory

Navigate to your Private Key directory at /etc/pki/tls/private/

If the key is not already saved there, follow the same steps as when you copied over the contents of your certificate files to save the Private Key in this directory. You may need to copy and paste the key contents between a Notepad on your local computer and another Notepad open on EC2.

Again, check the file permissions for the private key with the following commands:

[ec2-user private]$ sudo chown root:root custom.key
[ec2-user private]$ sudo chmod 600 custom.key
[ec2-user private]$ ls -al custom.key

These commands should yield this result:

-rw------- root root custom.key

5. Edit Configuration File

Your certificate configuration file should be located in /etc/httpd/conf.d/ssl.conf

1. Provide the path and file name of the server certificate (named custom.crt in this example) in Apache's SSLCertificateFile directive:

SSLCertificateFile /etc/pki/tls/certs/custom.crt

2. Provide the path and file name to the intermediate CA Certificate (named intermediate.crt in this example) in Apache's SSLCACertificateFile directive

SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt

3. Provide the path and file name of the private key (Named custom.key in this example) in Apache's SSLCertificateKeyFile directive:

SSLCertificateKeyFile /etc/pki/tls/private/custom.key

4. Save the configuration file to /etc/httpd/conf.d/ssl.conf.

5. Restart Apache with this command: 

[ec2-user ~]$ sudo systemctl restart httpd

6. Test the installation by navigating to your domain using the HTTPS:// protocol prefix. If the SSL is successfully installed, you should be able to load the page securely over HTTPS and confirm the standard SSL padlock indicator is visible. 

Congratulations! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.

To check your server’s configurations more thoroughly, use our SSL Checker Tool or contact our Customer Experience Department for additional assistance.