Step 1: Enable TLS on the server
To enable TLS on a server
- Connect to your instance and confirm that Apache is running.
-
To ensure that all of your software packages are up to date, perform a quick software update on your instance.
- [ec2-user ~]$ sudo yum update -y
- The -y option installs the updates without asking for confirmation. If you would like to examine the updates before installing, you can omit this option.
-
Now that your instance is current, add TLS support by installing the Apache module mod_ssl.
- [ec2-user ~]$ sudo yum install -y mod_ssl
- Your instance now has the following files that you use to configure your secure server and create a certificate for testing:
-
/etc/httpd/conf.d/ssl.conf
The configuration file for mod_ssl. It contains directives telling Apache where to find encryption keys and certificates, the TLS protocol versions to allow, and the encryption ciphers to accept.
-
/etc/pki/tls/certs/make-dummy-cert
A script to generate a self-signed X.509 certificate and private key for your server host. This certificate is useful for testing that Apache is properly set up to use TLS. Because it offers no proof of identity, it should not be used in production. If used in production, it triggers warnings in Web browsers.
-
Run the script to generate a self-signed dummy certificate and key for testing.
- [ec2-user ~]$ cd /etc/pki/tls/certs sudo ./make-dummy-cert localhost.crt
-
This generates a new file localhost.crt in the /etc/pki/tls/certs/ directory. The specified file name matches the default that is assigned in the SSLCertificateFile directive in /etc/httpd/conf.d/ssl.conf.
This file contains both a self-signed certificate and the certificate's private key. Apache requires the certificate and key to be in PEM format, which consists of Base64-encoded ASCII characters framed by "BEGIN" and "END" lines, as in the following abbreviated example.
-
Open the /etc/httpd/conf.d/ssl.conf file and comment out the following line, because the self-signed dummy certificate also contains the key. If you do not comment out this line before you complete the next step, the Apache service fails to start.
- SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-
Restart Apache.
- [ec2-user ~]$ sudo systemctl restart httpd
- Note: Make sure that TCP port 443 is accessible on your EC2 instance, as previously described.
-
Your Apache web server should now support HTTPS (secure HTTP) over port 443. Test it by entering the IP address or fully qualified domain name of your EC2 instance into a browser URL bar with the prefix https://.
Because you are connecting to a site with a self-signed, untrusted host certificate, your browser may display a series of security warnings. Override the warnings and proceed to the site.
If the default Apache test page opens, it means that you have successfully configured TLS on your server. All data passing between the browser and server is now encrypted.
URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-...