Installation of SSL Certificate on AWS Elastic BeanStalk Single Instance

1. Introduction

In AWS, the EB(Elastic Beanstalk) itself manages the Apache configuration files like httpd.conf or ssl.conf, so any changes from outside will not take any effect. Therefore, EB should be aware of any third-party SSL certificate installation.

Hence, for a single instance EB, we have to manually provide the configuration to it, so that it overwrites its default functionality and uses the certificate provided by us.
Let’s learn step by step how we can achieve this.

2. Configuration Steps

Here, we will follow below steps to configure SSL:

• Connect to AWS EB instance
• Create new Keystore
• Issue a new CSR from the Keystore
• Generate a signed certificate from the certificate authority
• Import the primary/server certificate, root, and intermediate CA certificates to keyStore
• Update AWS EB configuration file (.ebextensions)
• Deploy and Check if SSL certificate is installed

2.1. Connect to AWS Elastic BeanStalk instance

Connect to the Elastic Beanstalk instance using private key for that instance.

.\ssh.exe -i "D:\.ssh\mykeypair.pem" ec2-user@ec2-13-2xx-2xx-xxx.ap-south-x.compute.amazonaws.com

2.2. Create new Keystore

To begin with, Keytool is an inbuilt tool available in java, it is used to create, and edit a certificate file from a private key. A keyStore stores a private key/certificate that an application uses.

To keep all the keyStore and trustStore, let’s create a folder sslCertHolder in the home directory.

Now, navigate to directory sslCertHolder and run the keytool command.

To generate a new public key and associated private key and self-signed digital certificate in a keyStore, following command can be used:

keytool –genkeypair –keystore <path_to_the_keystore_being_created> -keypass <pass_for_key> -storepass <pass_for_keystore> –alias <keystore_alias> -keyalg <encryption_algorithm> –keysize <size_of_encryption_key>

We need password and alias in each subsequent keytool commands so please make a note of it.

keytool -genkeypair -keystore codeyatra.jks -keypass changeitPass -storepass changeitPass -keyalg RSA -keysize 2048 -alias cyatraCert -deststoretype pkcs12

It will prompt us to enter first and last name, enter the fully qualified domain name. For example:

firstName & Last Name- www.codeyatra.com
organisation unit- IT_Admin
organisation name- Code Yatra Pvt ltd
City- Pune
State- Maharashtra
country code- in
Final-
  CN=www.codeyatra.com, OU=IT_Admin, O=Code Yatra pvt ltd, L=Pune, ST=Maharashtra, C=com

2.3. Issue a new CSR from the Keystore

To generate a new CSR (Certificate Signing Request) certificate for the keyStore created in step 2.2, run following command:

keytool -certreq -keyalg <encryption_algorithm> -alias <keystore_alias> -file <path_to_the_csr_file_being_created> -keystore <path_to_the_keystore>

keytool -certreq -keyalg RSA -alias cyatraCert -file cyatraCSR.csr -keystore codeyatra.jks

Enter the Password you provided in Step 2.

The above command stores the CSR in the file ‘cyatraCSR.csr‘ and the private key pair in the Keystore ‘codeyatra.jks’  under the alias cyatraCert.

2.4. Generate a signed certificate from the certificate authority

Now, send this ‘cyatraCSR.csr‘ CSR file to the CA. If CA is GoDaddy, open the CSR file, and copy all of the text, including:

 ----BEGIN NEW CERTIFICATE REQUEST---- 

and

 ----END CERTIFICATE REQUEST----

Paste all of the text into the online request form and complete the application.

After the submission, CA normally takes a day to issue an SSL certificate.

2.5. Import the primary/server certificate, root, and intermediate CA certificates to keyStore

After the CA issues the server certificate, download it from the Certificate Manager. Along with this, we also need to download the CA root and any intermediate certificates. Place all these certificates in sslCertHolder (the same folder holding keyStore).

Download GoDaddy’s root certificate ‘gdroot-g2.crt’ and intermediate certificate ‘gdig2.crt.’ from repository.

Now, using the keytool, install these certificates.
To install the root certificate run the following command:

keytool -import -trustcacerts -alias <root_certificate_alias> -file 
<path_to_the_root_certificate> -keystore <path_to_the_keystore>

keytool -import -alias root -keystore codeyatra.jks -trustcacerts -file gdroot-g2.crt

To install the intermediate certificate run the following command:

keytool -import -trustcacerts -alias <server_certificate_alias> -file 
<path_to_server_certificate> -keystore <path_to_the_keystore>

keytool -import -alias cyatraCert -keystore codeyatra.jks -file mydomainname.crt

2.6. Update AWS configuration

Now, we need to add AWS Elastic Beanstalk configuration files (.ebextensions) to the source code of our web application to configure and customize our environment.

The ‘.ebextensions ‘ folder should be created at the root of our project hierarchy to be available at the time of deployment.

The following .ebextensions\httpd\conf.d\03_dsHttpsConfig.conf configuration adds a listener on port 443:

Listen 443
SSLPassPhraseDialog "exec:/home/ec2-user/sslCertHolder/CYsslpassphrasedialog"

<VirtualHost *:443>
  ServerName www.codeyatra.com
  <Proxy *>
    Require all granted
  </Proxy>
  ProxyPass / http://localhost:8080/ retry=0
  ProxyPassReverse / http://localhost:8080/
  ProxyPreserveHost on

  SSLEngine on
  SSLCertificateFile /home/ec2-user/sslCertHolder/mydomainname.crt
  SSLCertificateKeyFile /home/ec2-user/sslCertHolder/cytest_key.key
  SSLCertificateChainFile "/home/ec2-user/sslCertHolder/gd_bundle-g2-g1_chain.pem"
  
  ErrorLog /var/log/httpd/elasticbeanstalk-error443_log
</VirtualHost>

The following configuration file retrieves the security group’s ID using an AWS CloudFormation function and adds a rule to it.

The .ebextensions\https-instance-securitygroup.config file contains following entries:

Resources:
  sslSecurityGroupIngress: 
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
      IpProtocol: tcp
      ToPort: 443
      FromPort: 443
      CidrIp: 0.0.0.0/0

In a single instance environment, the traffic on port 443 should be allowed.

2.7. Deploy and Check if SSL certificate is installed

Deploy the source code with .ebextension files.After the server is up and running, we will run the SSL certificate test as follows:

• Check if the connection is secure by entering the site’s URL in the browser.
• Visit sslshopper type in the domain name and click on Check SSL. It will verify the SSL certificate and displays the problem if any exist.

Note:
Always test a new configuration on a new environment on AWS as an ill-formatted file may lead to failing the new environment launch unrecoverably.

3. Conclusion

In this article, we have learned the step by step procedure to install an SSL certificate on an AWS EB single instance environment.

For EB with a load balancer environment, AWS provides Certificate Manager to install a third-party certificate.