AWS Elastic Beanstalk
Developer Guide (last updated: 12 December, 2014) (API Version 2010-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configuring HTTPS for your AWS Elastic Beanstalk Environment

You can configure your AWS Elastic Beanstalk environment to use HTTPS for your application. Configuring HTTPS ensures traffic encryption for client connections to the load balancer.

To configure HTTPS, you will need to do the following high-level steps:

  1. Create a custom domain with your DNS provider.

  2. Create and upload an SSL certificate to AWS Identity and Access Management (AWS IAM).

  3. Update your Elastic Beanstalk environment to use HTTPS.

This section walks you through the necessary steps to configure HTTPS for your AWS Elastic Beanstalk application. This section assumes you have already deployed an AWS Elastic Beanstalk. If you have not already deployed an AWS Elastic Beanstalk application, do this now. For instructions, see Getting Started Using AWS Elastic Beanstalk.

Step 1: Create a Custom Domain

You need to create a custom domain name to obtain a digitally signed SSL certificate. When obtaining a signed SSL certificate, the Certificate Authority (CA) checks the domain name to ensure that you are the owner of that domain. Because your AWS Elastic Beanstalk URL contains elasticbeanstalk.com, you will not be able to obtain a certificate for this domain name.

To create a custom domain name, you can use Amazon Route 53 or a third party. For instructions, see Using Custom Domains with AWS Elastic Beanstalk.

Step 2: Create and Upload an SSL Certificate to AWS IAM

After you have created your custom domain, you use AWS Identity and Access Management (AWS IAM) to create and upload your certificate. This enables you to use your certificate with AWS services such as AWS Elastic Beanstalk. The following steps walk you through an example of how to create and upload your SSL certificate to AWS IAM. For more information, go to Creating and Uploading Server Certificates in the AWS Identity and Access Management Using IAM User Guide.

Install and Configure OpenSSL

Creating and uploading server certificates requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key.

The following procedure assumes that your computer does not already have OpenSSL installed.

To install OpenSSL

  • Get the package from www.ssl.org:

    On Linux and UNIX:

    1. Go to OpenSSL: Source, Tarballs (http://www.openssl.org/source/).

    2. Download the latest source.

    3. Build the package.

    On Windows:

    1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).

    2. Click OpenSSL for Windows.

      A new page displays with links to the Windows downloads.

    3. If not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.

    4. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.

    5. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.

You must create an environment variable that points to the OpenSSL install point.

To set the OpenSSL_HOME variable

  • Enter the path to the OpenSSL installation:

    On Linux and UNIXOn Windows
    & export OpenSSL_HOME=path_to_your_OpenSSL_installationc:\ set OpenSSL_HOME=path_to_your_OpenSSL_installation

    Note

    Any changes you make to the environment variables are valid only for the current command-line session.

You must add the path to the OpenSSL binaries to your computer's path variable.

To include OpenSSL in your path

  • Open a terminal or command interface and enter the appropriate command for your operating system:

    On Linux and UNIXOn Windows
    & export PATH=$PATH:$OpenSSL_HOME/bin c:\ set Path=OpenSSL_HOME\bin;%Path%

    Note

    Any changes you make to the environment variables are valid only for the current command-line session.

Create a Private Key

You need a unique private key to create your Certificate Signing Request (CSR).

To create a private key

  • Use the genrsa command to create a key:

    PROMPT>openssl genrsa 2048 > privatekey.pem

Create a Certificate Signing Request

A Certificate Signing Request (CSR) is a file sent to a Certificate Authority (CA) to apply for a digital server certificate.

To create a CSR

  • Use the req command to create a CSR:

    PROMPT>openssl req -new -key privatekey.pem -out csr.pem

    The output will look similar to the following example:

    You are about to be asked to enter information that will be incorporated 
    	into your certificate request.
    	What you are about to enter is what is called a Distinguished Name or a DN.
    	There are quite a few fields but you can leave some blank
    	For some fields there will be a default value,
    	If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

NameDescriptionExample
Country NameThe two-letter ISO abbreviation for your country.US = United States
State or ProvinceThe name of the state or province where your organization is located. This name cannot be abbreviated.Washington
Locality NameThe name of the city where your organization is located.Seattle
Organization NameThe full legal name of your organization. Do not abbreviate your organization name.CorporationX
Organizational UnitOptional, for additional organization information.Marketing
Common NameThe fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.www.example.com
Email addressThe server administrator's email addresssomeone@example.com

Note

The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.example.com" or "example.com". You need to create a CSR using your correct common name.

Submit the CSR to Certificate Authority

Normally, at this stage you would submit your CSR to a Certificate Authority (CA) to apply for a digital server certificate. However, you can also generate a self-signed certificate for testing purposes only. For this example, you'll generate a self-signed certificate.

To generate a self-signed certificate

  • Use the req command to create a CSR:

    PROMPT>openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt

    The output will look similar to the following example:

    Loading 'screen' into random state - done
    Signature ok
    subject=/C=us/ST=washington/L=seattle/O=corporationx/OU=marketing/CN=example.com/emailAddress=someone@example.com
    Getting Private key

Upload the Signed Certificate

Next, upload the certificate along with the private key to IAM. After you upload the certificate to IAM, the certificate is available for other AWS services to use. You use the AWS Command Line Interface (AWS CLI) to upload your certificate.

To upload a signed certificate

  • Use the IAM upload-server-certificate command to upload a signed certificate:

    PROMPT>aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://public_key_certificate_file --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file

    Note

    If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can omit the --certificate-chain option and upload just the server certificate and private key. For more information about the upload-server-certificate command, see upload-server-certificate in the AWS Command Line Interface Reference.

You should see an Amazon Resources Name (ARN) for your SSL certificate, which you will use when you update your load balancer configuration settings to use HTTPS. The ARN should look similar to the following:

arn:aws:iam::123456789012:server-certificate/cert

If you have a certificate that results in an error when you upload it, ensure that it meets the criteria, and then try uploading it again.

To see sample certificates that are valid with IAM, go to Sample Certificates in the AWS Identity and Access Management Using IAM User Guide.

Step 3: Update Your Elastic Beanstalk Environment to Use HTTPS

After you receive your Amazon Resources Name (ARN), you need to update your load balancer configuration settings in your Elastic Beanstalk environment with the following information:

  • HTTP port — set this port to OFF or 80

  • HTTPS port — set this port to 443 or 8443

    Note

    If you are using Amazon VPC with AWS Elastic Beanstalk, you must set your HTTPS port to 443. You must also add a rule to your security group that allows inbound traffic from 0.0.0.0/0 to port 443. For instructions, see Adding and Removing Rules in the Security Groups for Your VPC topic in the Amazon Virtual Private Cloud User Guide.

  • SSL certificate ID — set this to your ARN

There are several methods you can use to update your environment. The following list provides links to the relevant instructions.

It will take a few minutes to update your AWS Elastic Beanstalk environment. Once your environment is Green and Ready, type your https address in your web browser to verify it worked. For instructions on how to check your environment status, see Monitoring Your Environment. For this example, we type the following:

https://www.example.com

Note

Because you used a self-signed certificate and your web browser does not recognize you as a CA, you will see a warning message asking you if you want to proceed to the website. Choose to proceed, and then you can view your application.