How To Get A Free SSL/TLS Certificate: AWS Certificate Manager

Jan. 25, 2021, 5:48 p.m.
AWS · 9 min read
How To Get A Free SSL/TLS Certificate: AWS Certificate Manager

SSL/TLS certificates are a crucial part of data transfer between browsers and web servers. They may sound daunting at first, but AWS makes it extremely simple to add a free SSL/TLS certificate to any website. 

This article will discuss:

  1. What is an SSL certificate?
  2. What is a TLS certificate?
  3. What is the difference between an SSL and TLS certificate?
  4. How does an SSL/TLS certificate work?
  5. How can you tell if a site has an SSL/TLS certificate?
  6. How do you get a free SSL/TLS certificate?
  7. How to request an SSL public certificate using AWS Certificate Manager
  8. How to add the DNS records to your domain
  9. How to install your certificate on your server

 


 

What is a Secure Socket Layer (SSL) certificate?

An SSL certificate is a digital certificate or electric document providing proof of public key ownership. This certificate is an important indication to the user that passwords, contact information, and credit card numbers will remain secure as they are sent from the client's browser to the website's web server.

 

What is a Transfer Layer Security (TLS) certificate?

A TLS certificate is the successor of the SSL certificate.

However, the terms are often used interchangeably given the term SSL has become interchangeable with website encryption and security.

 

What is the main difference between SSL and TLS?

The key difference between SSL and TLS are the cipher suites, algorithms used to sequence the steps required prior to the cryptographic function.

While SSL connects via a port or explicit connection, TLS uses a protocol or implicit connection giving a faster and more secure connection.

 


 

How does SSL/TLS security work?

SSL/TLS uses public-key cryptography, a process where a key pair comprised of a public key and a private key encrypts then decrypts the data exchanged from the browser to the webserver.

 

What is an SSL/TLS public key?

An SSL/TLS public key is made available to everyone and is what encrypts the connection between the client and the webserver by activating the HTTPS protocol.

 

What is an SSL/TLS private key?

The SSL/TLS private key is kept secret and is what decrypts the data sent over the HTTPS protocol. 

 


 

How can you tell if a site has an SSL certificate?

It is generally understood that you should never enter your personal or financial information on a site that does not have a valid SSL certificate.

 

How do you know a site is missing SSL/TLS security?

Web browsers make it easy for online users to identify SSL certificate ownership via a lock icon next to the website's URL.

 


 

How do you get a free SSL/TLS certificate?

Public certificates are currently free to create and use on AWS Certificate Manager. The only things required are a custom domain an AWS account. 

One of the services provided by AWS is a Certificate Manager for Secure Socket Layer (SSL)/ Transfer Layer Security (TLS) certificates.

 

NOTE: Only one certificate can be added to an EB deployed Django App so add all of the necessary domain to that one certificate. AWS does not allow changes to a verified certificate so create a new certificate if you need a new domain added.

 


 

Login to AWS

AWS Free Tier Account

AWS Free Tier Account

Log in to AWS or create a free AWS account

 


 

How to Use AWS Certificate Manager

How to find AWS Certificate Manager on AWS Management Console

Once, logged in you can find the AWS Certificate by:

AWS Search Certificate Manager Service

a. Clicking the search bar and typing in "Certificate Manager" or

AWS Find the Certificate Manager Service under All Services

b. Scrolling down to the "Security, Identity, & Compliance" section of "All services" and click on "Certificate Manager".

 


 

Request an SSL/TLS certificate from Amazon Certificate Manager (ACM)

Get started with a Provision certificate

AWS Provision certificate

Once on the AWS Certificate Manager Service page, click the "Get Started" button under "Provision certificates". 

 

TO START: Request a public certificate

First, request a certificate

With a provision certificate, you can only request a public certificate. This is the certificate needed as it is the one trusted by browsers and operating systems. 

Click "Request a certificate" to continue.

 

STEP 1: Add domain names

Add domains to AWS certificate

First, add your unique domain names to the certificate. Add both your domain.com and your www.domain.com.

You can add up to 10 domains, including subdomains, to one AWS certificate.

When you have finished adding your domains, click "Next". 

 

STEP 2: Select your validation method

Next, you need to choose your method of validation. You can choose to validate that you own the domain by adding a DNS record to the DNS configurations on the web hosting site you use or by email.

AWS DNS validation

If you are relatively familiar with DNS records, web hosting, and have access to modify the website's records, choose "DNS validation".

AWS email validation

If you do not have access to modify records via a web hosting site, choose "Email validation".

Click "Next" when you are ready to continue.

 

STEP 3: Add tags

AWS tags added to AWS certificate

The next step is optional. You can choose to assign metadata to your certificates to help manage them.

Click "Review" to continue to the next step.

 

STEP 4: Review

AWS review certificate selections

It's time to review the options selected for the certificate. Now is a good time to double-check the domain name is spelled correctly.

You cannot change your certificate once it is created, so be sure to change any errors now.

When you are ready, click "Confirm and request". 

For the rest of the tutorial, we will be following the DNS validation method.

 

STEP 5: Validation

Autogenerated DNS record

Once the DNS records are generated, you will see your domains with the validation status of "Pending validation".

 

DNS CNAME record

Click the expand arrow next to each domain and you will see the "Name", "Type", and "Value" for the DNS record you need to add to your site. This record will be unique to your certificate and domain. 

You can choose to Export the DNS configuration, but leave the tab open for the next step. You will be copying and pasting the DNS records.

 

 


 

How to add AMC DNS records to your website

The next step is adding the CNAME records given by AWS Certificate Manager to your domain to verify that you control the domains needing the certificates.

Please follow the instructions for your web hosting provider. 

 

a) How to verify your SSL certificate on AWS Route 53

AWS Route 53

If your domain is hosted on AWS Route 53:

Click the button "Create record in Route 53" when you are on STEP 5: Validation.

This will automatically add the DNS configurations to your domain hosted on AWS Route 53.

Be sure to create the record in Route 53 for all domains listed. 

 

b) How to verify your SSL certificate on NameCheap

Namecheap web hosting

If your domain located on NameCheap please follow the directions below.

Login to NameCheap.

Click "Domain List" on the left menu panel.

Click the "Manage" button on the domain your using.

Click "Advanced DNS" on the top menu panel.

Then under "HOST RECORDS" click the "ADD NEW RECORD" button.

For "Type", select "CNAME Record" from the dropdown.

Now for the most important part:

For "Host", add the "Name" provided on the AWS STEP 5: Validation page, but do not include the domain name attached at the end of the host value.

The "Name" on AWS will be something like:

_4345t34hbuho.domain.com

But on NameCheap you need to only add:

_4345t34hbuho

It's the same for any subdomain, including www.

The "Name" on AWS will be something like:

_4345t34hbuho.www.domain.com

But on NameCheap you need to only add:

_4345t34hbuho.www

For the "Value" or "IP Address" add the exact "Value" provided by AWS.

Finally, for "TTL" keep it at the default value "Automatic".

When everything looks good to go, click the checkmark next to each record or click the button "Save all changes".

 

c) How to verify your SSL certificate on GoDaddy

GoDaddy SSL certificate

Login into GoDaddy.

Navigate to the DNS settings. 

Create a new CNAME. 

Now for the most important part:

For "Host", add the "Name" provided on the AWS STEP 5: Validation page, but do not include the domain name attached at the end of the host value.

The "Name" on AWS will be something like:

_4345t34hbuho.domain.com

But on GoDaddy you need to only add:

_4345t34hbuho

It's the same for any subdomain, including www.

The "Name" on AWS will be something like:

_4345t34hbuho.www.domain.com

But on GoDaddy you need to only add:

_4345t34hbuho.www

For the "Value" or "IP Address" add the exact "Value" provided by AWS.

Finally, for "TTL" keep it at the default.

When everything looks good, save the changes.

 


 

Wait for the validation status to update

The last step is to wait for the record validation status to update.

Return back to the AWS Certificate Manager tab and click "Continue". Your domain certificate should now be listed on the ACM homepage with the status "Pending validation". 

It may take a few minutes for the status to update, so it is best to step away and do something else besides constantly refreshing your page.  

When the validation status has updated, the overall status will read "Issued" and the validation status will state "Success".

 


 

How to install an SSL/TLS certificate on your server

The last thing is adding the SSL/TLS certificate to your server. 

 

a) How to install your SSL/TLS certificate on your AWS EC2 server

AWS EC2 Load Balancer

Go to the EC2 service on AWS.

Click the "Load Balancers" link at the bottom of the left side menu panel. 

Select the load balancer where you want to upload the SSL certificate. 

Go to the "Listener" tab option that appears on the load balancer selection.

Click on the "Edit".

In the "Edit listeners" popup menu :

Select HTTP for the "Load Balancer Protocol".

Type in 443 for the "Load Balancer Port".

Set the "Instance protocol" as HTTP.

Keep the "Instance port" at 80.

Finally, select the SSL certificate created for the particular domain.

Click "Save" when you're done.

There should now be two Load Balancers listed, one HTTPS load balancer protocol and one HTTP load balancer protocol. 

Be sure to save all changes made.

 

b) How to install your SSL/TLS certificate on your AWS Elastic Beanstalk environment

Add AWS Certificate to Elastic Beanstalk load balancer

If your project is on an AWS Elastic Beanstalk environment, you need to configure your EB Load Balancer with the certificate. 

Go to the AWS Elastic Beanstalk service.

Select the "Environments" tab on the left side menu panel.

Click on the environment holding the website you need to edit. Make sure you are in the correct region or you will not see your environment listed.

Then click on the "Configuration" link listed under your enviroment on the left side menu panel. 

Scroll down to the "Load Balancer" section and click "Edit".

Scroll to the "Listeners" section at the top of the page.

Then click the "Add listener" button. 

In the "Classic Load Balancer listener" popup menu:

Type in 443 for the "Listener port".

Select HTTPS for the "Listener protocol".

Keep the "Instance port" at 80.

And keep the "Instance protocol" HTTP.

Finally, select the SSL certificate created for the particular domain.

Click "Add" when you're done.

There will now be a "Pending create" load balancer listed along with the default listener.

Scroll to the bottom of the page and click the "Apply" button to update the environment. 






Post a Comment
Join the community

0 Comments
1
Jaysha
Written By
Jaysha
Hello! I enjoy learning about new CSS frameworks, animation libraries, and SEO.