| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Configuring HTTPS for your AWS Elastic Beanstalk Environment
You can configure your AWS Elastic Beanstalk environment to use HTTPS for your application. Configuring HTTPS ensures traffic encryption for client connections to the load balancer.
To configure HTTPS, you will need to do the following high-level steps:
Create a custom domain with your DNS provider.
Create and upload an SSL certificate to AWS Identity and Access Management (AWS IAM).
Update your Elastic Beanstalk environment to use HTTPS.
This section walks you through the necessary steps to configure HTTPS for your AWS Elastic Beanstalk application. This section assumes you have already deployed an AWS Elastic Beanstalk. If you have not already deployed an AWS Elastic Beanstalk application, do this now. For instructions, see Getting Started Using AWS Elastic Beanstalk.
Step 1: Create a Custom Domain
You need to create a custom domain name to obtain a digitally signed SSL certificate. When obtaining a signed SSL certificate, the Certificate Authority (CA) checks the domain name to ensure that you are the owner of that domain. Because your AWS Elastic Beanstalk URL contains elasticbeanstalk.com, you will not be able to obtain a certficate for this domain name.
To create a custom domain name, you can use Amazon Route 53 or a third party. For instructions, see Using Custom Domains with AWS Elastic Beanstalk.
Step 2: Create and Upload an SSL Certificate to AWS IAM
After you have created your custom domain, you use AWS Identity and Access Management (AWS IAM) to create and upload your certificate. This enables you to use your certificate with AWS services such as AWS Elastic Beanstalk. The following steps walk you through an example of how to create and upload your SSL certificate to AWS IAM. For more information, go to Creating and Uploading Server Certificates in the AWS Identity and Access Management Using IAM User Guide.
Install and Configure OpenSSL
Creating and uploading server certificates requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key.
The following procedure assumes that your computer does not already have OpenSSL installed.
To install OpenSSL
Get the package from www.ssl.org:
On Linux and UNIX:
Go to OpenSSL: Source, Tarballs (http://www.openssl.org/source/).
Download the latest source.
Build the package.
On Windows:
Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
Click OpenSSL for Windows.
A new page displays with links to the Windows downloads.
If not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
You must create an environment variable that points to the OpenSSL install point.
To set the OpenSSL_HOME variable
Enter the path to the OpenSSL installation:
On Linux and UNIX On Windows & export OpenSSL_HOME= path_to_your_OpenSSL_installationc:\ set OpenSSL_HOME= path_to_your_OpenSSL_installationNote
Any changes you make to the environment variables are valid only for the current command-line session.
You must add the path to the OpenSSL binaries to your computer's path variable.
To include OpenSSL in your path
Open a terminal or command interface and enter the appropriate command for your operating system:
On Linux and UNIX On Windows & export PATH=$PATH:$OpenSSL_HOME/bin c:\ set Path=OpenSSL_HOME\bin;%Path% Note
Any changes you make to the environment variables are valid only for the current command-line session.
Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
Create a Certificate Signing Request
A Certificate Signing Request (CSR) is a file sent to a Certificate Authority (CA) to apply for a digital server certificate.
To create a CSR
Use the
reqcommand to create a CSR:PROMPT>openssl req -new -key
privatekey.pem-outcsr.pemThe output will look similar to the following example:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
The following table can help you create your certificate request.
| Name | Description | Example |
|---|---|---|
| Country Name | The two-letter ISO abbreviation for your country. | US = United States |
| State or Province | The name of the state or province where your organization is located. This name cannot be abbreviated. | Washington |
| Locality Name | The name of the city where your organization is located. | Seattle |
| Organization Name | The full legal name of your organization. Do not abbreviate your organization name. | CorporationX |
| Organizational Unit | Optional, for additional organization information. | Marketing |
| Common Name | The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. | www.example.com |
| Email address | The server administrator's email address | someone@example.com |
Note
The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.example.com" or "example.com". You need to create a CSR using your correct common name.
Submit the CSR to Certificate Authority
Normally, at this stage you would submit your CSR to a Certificate Authority (CA) to apply for a digital server certificate. However, you can also generate a self-signed certificate for testing purposes only. For this example, you'll generate a self-signed certificate.
To generate a self-signed certificate
Use the
reqcommand to create a CSR:PROMPT>openssl x509 -req -days
365-incsr.pem-signkeyprivatekey.pem-outserver.crtThe output will look similar to the following example:
Loading 'screen' into random state - done Signature ok subject=/C=us/ST=washington/L=seattle/O=corporationx/OU=marketing/CN=example.com/emailAddress=someone@example.com Getting Private key
Upload the Signed Certificate
Next, upload the certificate along with the private key to IAM. After you upload the certificate to IAM, the certificate is available for other AWS services to use. You use the AWS IAM command line interface (IAM CLI) to upload your certificate. For more information about installing the IAM command line toolkit, go to Getting the Command Line Tools in the AWS IAM Command Line Reference.
To upload a signed certificate
Use the
iam-servercertuploadcommand to upload a signed certificate:PROMPT>iam-servercertupload -b
server.crt-kprivatekey.pem-sserver-v
You should see an Amazon Resources Name (ARN) for your SSL certificate similar to the following:
arn:aws:iam::123456789012:server-certificate/cert
Note
IAM returns the ARN only if the iam-servercertupload command is made in verbose mode by including
-v, as shown in the example above.
If you have a certificate that results in an error when you upload it, ensure that it meets the criteria, and then try uploading it again.
To see sample certificates that are valid with IAM, go to Sample Certificates in the AWS Identity and Access Management Using IAM User Guide.
Step 3: Update Your Elastic Beanstalk Environment to Use HTTPS
After you receive your Amazon Resources Name (ARN), you need to update your elastic load balancer configuration settings in your Elastic Beanstalk environment with the following information:
HTTP port — set this port to OFF or 80
HTTPS port — set this port to 443 or 8443
SSL certificate ID — set this to your ARN
The following diagram shows the configuration settings in the Elastic Beanstalk console.
There are several methods you can use to update your environment. The following list provides links to the relevant instructions.
It will take a few minutes to update your AWS Elastic Beanstalk environment. Once your environment is Green and Ready, type your https address in your web browser to verify it worked. For instructions on how to check your environment status, see Viewing Application Health and Environment Status. For this example, we type the following:
https://www.example.com
Note
Because you used a self-signed certificate and your web browser does not recognize you as a CA, you will see a warning message asking you if you want to proceed to the website. Choose to proceed, and then you can view your application.
