This is a step by step walk-though on how to install an SSL certificate on AWS Elastic Beanstalk. We will use a GoDaddy SSL certificate. The official documentation is on the AIM Creating and Uploading Server Certificates page, but that example is only for a 1024 bit certificate. This post also assumes you already have a CNAME for your Elastic Beanstalk instance.
1. You need OpenSSL. Our Amazon EC2 image already has OpenSSL by default. Try running openssl version on the command line to verify if you have OpenSSL installed.
2. You will need the IAM Command Line Toolkit to be able to upload the SSL certificate. We will be using the iam-servercertupload command later in the process. You will also need to create an aws-credential.properties file with the keys AWSAccessKeyId and AWSSecretKey populated with your AWS keys.
3. Now generate the CSR (Certificate Signing Request) by running the following command. This will generate a 2048 bit CSR.
openssl req -new -newkey rsa:2048 -nodes -out csr.pem -keyout private-key.pem -subj "/C=yourcountry/ST=yourstate/L=yourcity/O=yourcompany/OU=yourdepartment/CN=yourdomain"
Replace yourcountry, yourstate, yourcity, yourcompany, yourdepartment, yourdomain with the appropriate values. You should get two files from this step, csr.pem and private-key.pem.
4. Go to the GoDaddy Manage Certificates page, and copy paste the CSR. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt.
5. Before uploading the certificate, we need to decrypt our private key by running the following openssl command.
openssl rsa -in private-key.pem -out decrypted-private-key.pem
6. Now we are ready to upload our certificate. Run the following command.
iam-servercertupload --aws-credential-file aws-credential.properties -b yourdomain.crt -c gd_bundle.crt -k decrypted-private-key.pem -s yourcertificatename
Make sure the file paths are correct. yourcertificatename is the name of the certificate that you specify.
7. To get your SSL Certificate ID, which you need to enable SSL on Elastic Beanstalk, run the following command
iam-servercertgetattributes --aws-credential-file aws-credential.properties -s yourcertificatename
Take note of your certificate ID, which starts with arn:aws:iam::.
8. Go to the AWS Elastic Beanstalk Management Console and edit the environment configuration. Go to the Load Balancer tab and set the HTTPS Listener Port to 443, and the SSL Certificate Id. If you have a wildcard SSL, you can repeat this step on every Elastic Beanstalk application on different subdomains.
9. Test your new configuration by going to https://yourdomain.