- Newest
- Most votes
- Most comments
Everything @Brettski says in his answer is correct, addressing a few more points from your question:
You mention you need an SSL certificate given by AWS - if you're just running a single EC2 instance, without CloudFront or a load balancer in front of it, then AWS can't issue a certificate for that. Amazon Certificate Manager (ACM) issues certificates for use with selected services like CloudFront, load balancers, API Gateway, and others, but not EC2 https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html
Say you own mydomain.com, you probably want to create an A-record whose name is mydomain.com and value is the public IP address of the EC2 instance. You may also want to create a record for www.mydomain.com as well, up to you. The public IP address will change if the instance is stopped and started (but not if it is rebooted) and the record would need to be updated if this happens, as would also need to happen if the instance was terminated and replaced with a new one.
To generate a cert to be used with EC2 you'll need to use a third party such as LetsEncrypt https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
The certificate signing request (CSR) should include mydomain.com and perhaps www.mydomain.com, or even just the wildcard *.mydomain.com depending on your particular use case. The certificate request doesn't need to have the IP address.
If you've put CloudFront or a load balancer in front of your EC2 then you can get a cert from ACM and associate it with that service, and you won't now need a cert on your EC2. Assuming your domain is purchased and managed through Route 53 the certificate can be validated more-or-less automatically using Route 53 to prove you own the domain. Again, the certificate should only include DNS names, not IP addresses.
Your Route 53 records for mydomain.com and so on would point to the load balancer or CloudFront distribution, and unlike in the EC2's case these should remain static.
IP addresses are not linked to SSL certificates in any way. In one technical sense, a certificate is a text file that contains a private key (and probably public) key. As long as your instance has that file (and we strongly recommend that you update the certificate periodically - it has an expiry date) then it is able to host HTTPS session.
There are many ways to get a properly signed certificate - all of them will have some way of ensuring that you own the domain that you are generating the certificate for. So as long as you can do that (which might be via DNS entries or via email) then you can continue to generate certificates.
You do not need a new domain name when you upgrade your instance.
Relevant content
- asked 10 months ago
- asked a year ago
- asked 5 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
So if I were to get a domain name from Route 53, then associate it with my EC2 instance. I can then get my certificate from ACM using my domain name from Route 53. So by doing this my domain will be certified and host a HTTPS session?
You get a domain from Route 53, and in the hosted zone create an A-record whose value is the IP address of your EC2 instance. You can then get a certificate from LetsEncrypt (or whoever, although not ACM) and add this into the webserver config on the EC2.
Or, you put a load balancer in front of your EC2 https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancer-getting-started.html and configure this with a certificate obtained from ACM https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb and point your DNS record in Route 53 at the load balancer.
After either of these your website will respond to a HTTPS request with a certificate signed by a trusted certificate authority.
Could you enlighten me as to why I can't get a certificate from ACM? Or why I need a load balancer? Because from this link, https://eu-central-1.console.aws.amazon.com/acm/home?region=eu-central-1#/welcome, ACM provide the service to give out the SSL Certificate to the Domain.
Could I not do this instead, Get a domain from Route 53, and in my hosted zone create the A-record associated with my EC2 instance's IP Address. Then in ACM where I can request a SSL certificate, provide my domain in there and receive my SSL, to host a HTTPS session?
ACM supports the automatic deliver, installation and update of certificates on load balancers, CloudFront and other services as listed in the documentation. Today, EC2 is not one of those services.