In this post, I will be explaining the steps for configuring SSL on Apache Web Server running on AWS EC2 Amazon Linux instance.


  1. You will need to provision an EBS-backed Amazon Linux instance. For more information, see Getting started with Amazon EC2 Linux Instances

  2. Make sure the security group attached with your instance allows connections on following TCP ports:
    • SSH – port 20
    • HTTP – port 80
    • HTTPS – port 443
  3. As a best practice, only allow SSH access to your IP address. You can configure this in the security group. For more information, see Creating a Security Group

Installing Apache web server

  1. Connect to your instance
    ssh ec2-user@<instance-public-ip> -i <key-pair-file>
  2. We need to ensure the software packages on your instance is latest. Perform a quick software update.
    sudo yum update -y
  3. Check if Apache is already installed
    sudo service httpd status
  4. If Apache is missing, install Apache.
    sudo yum install httpd -y
  5. Check if Apache is installed.
    sudo service httpd status
  6. If Apache is not running, start httpd service
    sudo service httpd start
  7. Let us ensure that httpd service starts automatically
    sudo chkconfig httpd on
  8. Add SSL/TLS support to Apache
    sudo yum install -y mod_ssl

Creating Private Key and Certificate Signing Request (CSR)

To obtain a signed certificate from Certificate Authority (CA), you would have to first generated a self-signed SSL/TLS X.509 host certificate.

  1. Connect to your instance and navigate to /etc/pki/tls/private. Server’s private key for SSL/TLS is stored in this directory.
    ssh ec2-user@<instance-public-ip> -i <key-pair-file>
    cd /etc/pki/tls/private/
  2. Create an RSA private key with password protection. This will generate a 2048-bit RSA private key that has been encrypted with AES-128 cipher. Important point to remember, each time you use this key, you would need to supply the password.
    sudo openssl genrsa -aes128 -passout pass:EnterPasswordHere -out PrivateKeyFileName.key 2048
  3. We need to make sure that the private key has highly restrictive ownership
    sudo chown root.root PrivateKeyFileName.key
    sudo chmod 0600 PrivateKeyFileName.key
    ls -al PrivateKeyFileName.key
  4. Let us now create CSR using the newly generated private key. OpenSSL req command will prompt you for the information listed in the table below. The details you provide here will be crossed checked by certificate authority. Make sure you enter the correct domain name in Common Name property

    Attribute Prefix Description Example
    Country/Region C Business Location – Country GB
    State/Province ST Business Location – State/Province Surrey
    City/Locality L Business Location – City Sutton
    Organization Unit OU Organization Unit if required to be listed* Optional*
    Organization O Organization’s legal business name Your company name
    Common Name CN Domain to be secured by certificate
    sudo openssl req -new -key PrivateKeyFileName.key  -out CSRFileName.pem
  5. Finally the openssl command will prompt you for an optional challenge password.

  6. The resulting file will contain the public key, the digital certificate for this public key and the information you entered.

  7. Now you are ready to submit the CSR to a certificate authority. You will usually copy the content of CSR file into the certificate request form. The CA will validate the ownership of the domain before issuing the certificate. After the request has been approved, you will receive a new certificate signed by the certificate authority. The certificate file will have .crt extension

  8. Copy the certificate to your server. The easiest way is to copy the content of the crt file, create a new file on server and paste the content. Alternatively you can upload the certificate to S3 bucket and copy to server using aws cli.

  9. Copy signed certificate files to /etc/pki/tls/certs/ directory.

  10. You can check the details of the CA signed certificate.
    openssl x509 -in certificate.crt -text
  11. We need to make sure that the signed certificate files has highly restrictive ownership. Perform these actions on all crt files

    sudo chown root.root certificate.crt
    sudo chmod 0600 certificate.crt
    ls -al certificate.crt

Update ssl.conf

This is the configuration file for mod_ssl. It contains configuration which tells Apache where to find encryption key, certificate, SSL/TLS settings and cipher information.

  1. Edit /etc/httpd/conf.d/ssl.conf

  2. Update Apache’s SSLCertificateFile directive

    SSLCertificateFile /etc/pki/tls/certs/certificate.crt
  3. If you have recieved CA intermediate certificate file, update SSLCACertificateFile directive
    SSLCACertificateFile /etc/pki/tls/certs/intermediate.crt
  4. Update private key path in SSLCertificateKeyFile directive
    SSLCertificateKeyFile /etc/pki/tls/private/custom.key
  5. Save ssl.conf and restart Apache
    sudo service httpd restart

Your Apache web server is now ready for SSL/TLS communication.