How do I install an SSL/TLS certificate on my EC2 Windows instance running IIS server?

Short description

Note: If you're using Elastic Load Balancing (ELB), you can use an Amazon-provided certificate from AWS Certificate Manager (ASM). For more information, see How can I associate an ACM SSL/TLS certificate with a Classic, Application, or Network Load Balancer?

There are three steps to install an SSL/TLS certificate on your EC2 Windows instance:

1. Create a Certificate Signing Request (CSR) and request your SSL certificate.
2. Install your SSL certificate.
3. Assign the SSL certificate to your IIS deployment.

You can also modify an existing SSL certificate assigned to a site.

Resolution

Step 1: Create a CSR and request your SSL certificate

1.    Open the IIS Manager by selecting Start, Control Panel, Administrative Tools, Internet Information Services (IIS) Manager.

2.    Select Connections, and then select the name of the server where you're installing the certificate.

3.    In the IIS section of the home page, select Server Certificates.

4.    On the Server Certificates console, select Actions, and then select Create Certificate Request. The Request Certificate wizard opens.

5.    Enter the following values in the Request Certificate wizard:

• Common name: Enter the fully qualified domain name (FQDN) of the domain (for example, www.example.com).
• Organization: Enter your company's name.
• Organizational unit: Optionally, enter name of the department within your organization.
• City/locality: Enter the city where the company is legally located.
• State/province: Enter the state or province where the company is legally located.
• Country: Enter the country where the company is legally located.

6.    Cryptographic Service Provider Properties, enter the information following:

• Cryptographic service provider: Select Microsoft RSA Channel Cryptographic Provider. You can select other options, if needed.
• Bit length: Use 2048, which is the current best practice, unless a higher value is required.

7.    Select Browse next to the Specify a file name for the certificate request field to browse to the location where you're saving the CSR.

Note: If you don't select a location, the file saves to C:\windows\system32.

8.    Select Next.

9.    Select Finish.

10.    Use a text editor to copy the text from the created file. The following is an example of the text:

-----BEGIN NEW CERTIFICATE REQUEST-----
<examplekey>
-----END NEW CERTIFICATE REQUEST-----

11.    Send this value, including the first and last lines, to your chosen certificate provider so that they can issue the certificate.

When the certificate is available, move to Step 2: Install your SSL certificate.

Step 2: Install your SSL certificate

1.    Save the certificate file issued by the chosen provider to the server where you created the Certificate Signing Request (CSR).

2.    Open the IIS Manager by selecting Start, Control Panel, Administrative Tools, Internet Information Services (IIS) Manager.

3.    Select Connections, and then select the name of the server where you're installing the certificate.

4.    In the IIS section, select Server Certificates.

5.    Select Actions, Complete Certificate Request. A wizard launches.

6.    For Specify Certificate Authority Response, enter the following information:

• File name containing the certificate authority's response: Select the certificate (.cer) file.
• Friendly name: Enter a name for you to identify the certificate. For easier identification, consider adding the expiration date and use case.
• Select a certificate store for the new certificate: Select Web Hosting.

Your SSL certificate is installed on the server and ready for use. Now you must assign it to your site.

Step 3: Assign the SSL certificate to your IIS deployment

1.    Open the IIS Manager by selecting Start, Control Panel, Administrative Tools, Internet Information Services (IIS) Manager.

2.    Under Connections, expand the section of the server where you installed the certificate.

3.    Expand the Sites section, and then select the site where you want to assign the certificate.

4.    On the site's home page, select Bindings.

5.    In the Site Bindings wizard, select Add.

6.    On the Add Site Binding enter the following information:

• Type: Select HTTPS.
• IP Address: Select the IP Address of the site or select All Unassigned.
• Port: Enter 443. Port 443 is the port used by HTTPS for SSL secured traffic.
• SSL Certificate: Select the SSL certificate for this site (for example, example.com).

Now the SSL certificate is assigned to this specific site for use with HTTPS.

Modify an existing SSL certificate assigned to a site

To modify a certificate assigned to a site, do the following:

1.    Follow the steps in Step 1: Create a CSR and request your SSL certificate.

2.    Follow the steps in Step 2: Install your SSL certificate.

3.    Follow steps 1 through 4 in the Step 3: Assign the SSL certificate to your IIS deployment.

4.    In the Site Bindings wizard, find the HTTPS binding, select it, and then choose Edit.

5.    Select the new certificate from the SSL certificate dropdown list, and then select Ok.

---