How to Install an SSL Certificate on AWS EC2 Instance

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Amazon Web Services (AWS) offers building blocks that give us a scalable, low-cost infrastructure to support new applications and virtual servers. They can be adjusted as per business demands without any commitments, only paying for what you need. Knowing how to install an SSL certificate on an AWS EC2 instance seems like a super tricky process, but it doesn’t have to be.

Installing SSL/TLS certificates on the web server is of utmost importance because it helps to prevent your website from being flagged as ”not secure.” It also allows for secure, encrypted communication with HTTPS enabled and builds trust so that the end-user does not get any security warnings when visiting your site.

Installing and configuring SSL/TLS certificates on AWS is a fairly simple process — but here are a few things you’ll need before you can get started.

Prerequisites for Installing an SSL Certificate on AWS

Before you can start the installation process, you’ll need to have your SSL certificate in hand. We assume that you already purchased a certificate since you’re looking for directions on how to install one. However, if you don’t have one yet, you can purchase one from us at a significantly discounted cost:

Now that you have purchased your certificate, you can move forward. Here’s everything you’ll need to install an SSL certificate on your AWS EC2 instance:

  • Server certificate: This is the certificate that you received from the CA, possibly via email.
  • Intermediate certificates: If you received the certificate in a zip folder, it should also contain these certificates, if not, download the CA Bundle for your certificate.
  • Private key: It should be in your possession or on the server.

Installation Steps for Adding an SSL Certificate to an EC2 Instance

  1. Convert the certificates (the ones received from the CA would be in .crt format) to PEM format either by using an online conversion tool or by using the OpenSSL library: openssl x509 -in my_certificate.crt -out my_certificate.pem -outform PEM
  2. Go to your Amazon management console and log in.
  3. From there go to the EC2 console.
  4. Choose Load Balancer from the navigation pane under the network and security section.
  5. Select the load balancer where you want to upload the certificate.
  6. Go to the Listener tab and click on Edit and then on Add. Choose HTTPS as the protocol and under SSL certificate select Change and click on “Upload a new certificate to AWS Identity and Access Management (IAM).”
  7. Fill in the certificate details — this includes a name, the private key, the public key, and the certificate chain — by pasting the contents of the file into the designated areas and then click on Save.


Sometimes people run into issues when installing their SSL certificate. Here are a few examples of the snafus people run into and how you can address them:

The format of the public key, private key and certificate chain must be PEM-encoded

The private key is the one used to generate the CSR and can either be in PKCS #1 format (traditional format) or PKCS #8 (new format).

PKCS #1 format:
Base64-encoded private key

PKCS #8 format:
Base64-encoded private key

If the private key is generated using the OpenSSL genrsa command, the default format is PKCS #8

To convert your PKCS #1 to PKCS #8:

openssl rsa -in newkey.pem -out newkey.pem

Remember that you will not be able to retrieve your private key once it has been uploaded to the load balancer.

The public key certificate is the one issued to you by a certificate authority.

Base64-encoded private key

The certificate issued by the CA constitutes the certificate’s chain with a CA bundle. A CA bundle is a file that contains root and intermediate certificates. The chain is required so that your browser can recognize the certificate without throwing any security warnings. It’s usually sent over by your CA authority, or it can be downloaded from the CA’s website or third-party sites.

Missing certificate chain

If the intermediate certificates are not installed properly, the browser will not be able to trace back to the root CA who issued the certificate. This means that the browser will throw up security warnings that will turn away site visitors and customers. It’s only for a self-signed certificate that we do not need the certificate chain (though, we caution, that self-signed certificates should not be used in place of standard certificates on external-facing sites). Run the following command from the terminal to establish if the certificates have been installed correctly:

openssl s_client -showcerts -connect

If the command returns code: 21 (which means that it’s unable to verify the first certificate), it indicates that OpenSSL failed to verify the certificate because of the missing certificate chain. Third-party sites can also be used to check whether the SSL certificates were installed correctly on your server.