Setup Third-Party SSL Certificate On Amazon EC2 Instance Itself

Access your EC2 instance via SSH and follow these steps to setup a premium third-party SSL certificate for a custom domain/sub-domain locally on your EC2 instance.

No AWS load balancer configuration required!

Since you will be setting-up a long validity paid SSL certificate, you will not be using the Certbot software that we pre-installed on your EC2 instance.

We have already opened port 443 for your EC2 instance so you do not need to change any firewall settings.

Setup OpenSSL

Run the following command to install openssl:

sudo apt-get install openssl

If a message is displayed that it is already installed, move on to the next step.

Enable the SSL module for Apache

Run the following command to do so:

sudo a2enmod ssl

Once it is enabled, restart the Apache web server using:

sudo systemctl restart apache2

If it the SSL module was already enabled, move on to the next step.

Prepare a directory for SSL certificates

Create a directory for SSL certificate using the following command:

sudo mkdir /etc/apache2/ssl

Generate a CSR and save the Private key

You can generate a CSR with a Private key online using this tool.

Then Upload and Save the Private key in a text file in the /etc/apache2/ssl directory.

To do so run the following command:

sudo nano /etc/apache2/ssl/private.key

Copy-paste the contents of the Private key you generated from the online tool into the editor in the SSH console, and save the file using Ctrl+X keys on the keyboard.

Upload SSL Certificate files

Once you have received your SSL certificate files you will need to upload them to the /etc/apache2/ssl directory.

To upload the website (leaf) certificate run the following command:

sudo nano /etc/apache2/ssl/website.crt

Copy-paste the text content of the website CRT certificate file into the editor in the SSH console, and save the file using Ctrl+X keys on the keyboard.

To upload the CA bundle (also known as Certificate Chain), run the following command:

sudo nano /etc/apache2/ssl/ca-bundle.crt

Copy-paste the text content of the ca-bundle CRT certificate file into the editor in the SSH console, and save the file using Ctrl+X keys on the keyboard.

Add the VirtualHost entries for your website

Next we need to enable the VirtualHost for our site to serve pages using https.

You will either need to create a new VirtualHost entry (.conf file under /etc/apache2/sites-available) if its a new site, or add this to an existing entry for your site.

<VirtualHost *:443>

ServerName website.com
ServerAlias www.website.com
DocumentRoot /documentroot/
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/website.crt
SSLCertificateKeyFile /etc/apache2/ssl/private.key
SSLCertificateChainFile /etc/apache2/ssl/ca-bundle.crt

</VirtualHost>

If you have already got a Let’s Encrypt certificate configured for your site using Certbot, you will need to modify or delete the VirtualHost entry for it.

Now restart the Apache web server using:

sudo systemctl restart apache2

Thats all you need to do. Now you should be able to access your website using https://<custom_domain>