How to Install an SSL Certificate on AWS EC2 Instance

Technical Guide for SSL Certificate Installation on AWS (Amazon Web Services) EC2 Instance

AWS is a cloud computing service from Amazon that provides on-demand cloud computing platforms for individuals, corporates, governments, and business entities. One of the services it offers is the EC2 cloud (Elastic Compute Cloud), which basically allows the user to access a virtual network of computers through the internet.

This blog outlines the process of installing an SSL certificate on EC2 clearly. We’ll also cover how to test your SSL setup and troubleshoot common issues, so you can be sure that everything works smoothly from start to finish.

Generate a Certificate Signing Request (CSR)

To begin installation of SSL on AWS EC2 instance, start by generating a Certificate Signing Request – CSR. The Certificate Authority requires essential details about your domain and organization to issue your certificate.

How to Generate a CSR?

You can create a CSR directly on the EC2 instance where you’ll install the SSL certificate. This way the private key will remain on the server, maintaining security best practices. Alternatively, you can manually generate CSR with an external CSR generator, though this method is less secure.

If you’re using OpenSSL (common on Linux-based instances), run the following command in your terminal:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

This command will generate two files:

• yourdomain.key – your private key (keep this secure and never share it)
• yourdomain.csr – your Certificate Signing Request (to be submitted to the CA)

Prerequisites for Installing an SSL Certificate on EC2

Before you begin installing an SSL certificate on your AWS EC2 instance, make sure you have the following files ready:

SSL Certificate File or Your server certificate

This is the primary certificate issued for your domain by a Certificate Authority (CA). It’s typically provided via email or made available for download through your certificate provider’s dashboard. It’s sometimes labeled as yourdomain.crt or similar.

Intermediate Certificate(s)

These are supporting certificates that help establish a chain of trust between your server’s certificate and the root certificate recognized by browsers. Often bundled together in a file called a CA Bundle, these are included in your certificate ZIP file or can be downloaded from your CA’s repository.

Private Key File

It is a private cryptographic key associated with your certificate. When you generate your Certificate Signing Request on your server or using an external tool, the private key is created at that time. You should have secure access to that file, as it’s important for installation. You cannot retrieve it later from the certificate files, so if it’s lost, you’ll need to create a new CSR and reissue the certificate.

Converting Certificate Files to PEM Format

AWS requires certificate files in PEM format for proper installation. PEM (Privacy Enhanced Mail) is a base64-encoded format enclosed between —–BEGIN—– and —–END—– lines and typically have .crt, .pem, or .key extensions.

Conversion Methods

• Option 1: Using OpenSSL (Recommended)

  You can manually convert your certificate files to PEM format using the OpenSSL command-line tool. For example:

  openssl x509 -in yourdomain.crt -out yourdomain.pem -outform PEM

  This command converts an X.509 certificate to PEM format. If your certificate is in .der, .pfx, or .p7b, you’ll need different commands depending on the source format.

• Option 2: Using an Online SSL Converter

  If you prefer a quicker method, several trusted online tools allow you to convert certificate files to PEM format with minimal effort. Just upload your files and download the PEM-formatted versions.

  

  Important: Never upload private keys to online tools. Only use manual conversion for .key files to avoid security risks.

  Once your certificate, intermediate certificate, and private key are in PEM format, you’re ready to proceed with installation on your EC2 instance.

Steps to Install SSL Certificate on Amazon Web Services (AWS) EC2 Instance

Prerequisites

Before you begin, make sure you have:

• A running Amazon EC2 instance (Ubuntu, CentOS, or Amazon Linux)
• A domain name pointing to your EC2 instance’s public IP
• Your SSL certificate files in PEM format:
  • yourdomain.crt (certificate)
  • yourdomain.key (private key)
  • ca_bundle.crt (CA chain, usually provided by SSL2BUY)
• SSH access to the instance with sudo privileges

 Step 1: Log in to AWS Management Console

1. Go to the AWS Management Console.
2. Navigate to the EC2 Dashboard.
3. In the left-hand menu, expand the Load Balancing section and click on Load Balancers.

Step 2: Configure HTTPS Listener on Load Balancer

1. In the Load Balancers section, select the Load Balancer that’s associated with your EC2 instances.
2. Click on the Listeners tab.
3. Choose Edit and then Add listener.
4. Select HTTPS as the protocol.
5. In the SSL certificate field, click on Change.

Step 3: Upload Your SSL Certificate to IAM:

• Click on Upload a new SSL certificate to AWS Identity and Access Management (IAM).
• Enter a name for your certificate (you’ll use this name for easy management).
• Paste:
  • Private key in the Private Key field (yourdomain.key)
  • Certificate in the Public Key Certificate field (yourdomain.crt)
  • CA bundle in the Certificate Chain field (ca_bundle.crt)
• Make sure you paste the entire certificate chain, including —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– tags.

Step 4: Attach SSL Certificate to the Load Balancer

1. After uploading the certificate to IAM, click Save to finalize the upload.
2. Return to the Listeners tab of your Load Balancer.
3. Select the uploaded certificate from the dropdown list and apply it to the HTTPS listener.
4. Save the changes to your Load Balancer.

Step 5: Maintain and Renew Your SSL (Recommended)

Like every digital certificate, SSL certificate also expires (typically after every 13 months). Renew SSL certificate on time to maintain secure encryption and prevent browser warnings.

Here are the best practices to follow:

• Set calendar reminders for renewals well in advance.
• Obtain the renewed certificate and upload it to IAM.
• Reassign it to your Load Balancer as shown in Steps 3 and 4.

Quick Tips:

• Make sure that your EC2 security group allows inbound traffic on port 443 (HTTPS).
• Since SSL is terminated at the Load Balancer, your EC2 instance only needs to serve HTTP.
• Use Amazon CloudFront or other caching services to accelerate site performance for global visitors.

Test Your SSL Certificate

Once the process is over, it is good practice to check and test whether the SSL certificate has been properly configured and functioning as expected.

How to check that?

• Visit your site: https://yourdomain.com.
• You can use free SSL checker tools to verify:
  • There are no browser security warnings
  • Certificate is valid and chain is correctly recognized
  • HTTPS loads correctly across all pages
• Confirm that the certificate is issued for your domain and that the full certificate chain is recognized without errors.

Troubleshooting Common SSL Issues

If your SSL certificate isn’t working as expected, here are a few common issues to check and how to fix them:

Browser shows “Not Secure” warning

This means you’re likely missing intermediate certificates.

To fix this download the CA bundle from your certificate provider. Combine it with your domain certificate using the given command:

cat your_domain.crt intermediate.crt > fullchain.pem

Upload the combined PEM file to your EC2 server or load balancer. 

Wrong certificate format

Your file should be in PEM format; other formats don’t work in AWS. Your private key should start with —–BEGIN PRIVATE KEY—– or —–BEGIN RSA PRIVATE KEY—–.

If your private key is in PKCS#1 and you need to convert it into PKCS#8, use the following command to convert it:

openssl rsa -in oldkey.pem -out newkey.pem

Domain mismatch error

This happens if you visit your site via IP or a domain not listed in the certificate. To prevent this. Always use the exact domain name the SSL was issued for.

Site not loading on HTTPS

Check the following:

• Is your EC2 instance running?
• Is port 443 open in your EC2 Security Group?
• Is your Load Balancer listener configured correctly?

Protocol or version errors

Old SSL/TLS versions are often blocked. Make sure your server supports TLS 1.2 or higher, and that deprecated versions like SSLv3 or TLS 1.0 are disabled.

403 Forbidden over HTTPS

This could be a misconfigured server or missing SSL-specific settings. Review your web server’s HTTPS config and permissions.

Make sure the HTTPS virtual host is correctly set up and points to the right directory.

Check file and directory permissions for the web root.

Still not working?

• Check your server logs:
  • Nginx: /var/log/nginx/error.log
  • Apache: /var/log/httpd/error_log
• Contact AWS support or your SSL provider for help.

Conclusion

Installing SSL certificate on AWS EC2 instance is an important step to secure your web application. From generating CSR to configuring your server for HTTPS, each part of the process helps in protecting data between your users and your site, making it private and protected.

Once you set up everything correctly, your site will be able to give secure traffic, build user trust, and meet modern security standards. Also, don’t forget to monitor certificate expiry dates and regularly test your SSL setup to catch any issues.

Related Articles:

• What is a Public and Private Key Pair?
• How Can I Find the Private Key for My SSL Certificate?
• How to Generate PFX File or P12 File Using OpenSSL?