- Newest
- Most votes
- Most comments
Hello,
From the case description, I understand that you have a private hosted zone on AWS Route 53. You also have a web service running on EC2 instance and it is connected to a load balancer. You have created a Private CA and successfully received the certificate from ACM. You then attached this certificate to your internal Load Balancer which is sending requests to the EC2 instance. But still you are not able to access your web service securely(HTTPS) from your web browser. You wish to know why you are not able to access the web services securely even after you have attached the private certificate to your Load Balancer. Please correct me if I have misunderstood here.
Please note that Private certificates in AWS are issued by Private Certificate Authorities which you create in the AWS environment. As the name suggests, these are Private and local to the organization. These are not trusted by all browsers by default and hence, when you use these Private certificates for your web service, then they would show as not trusted since the browser does not trust the Certificate Authority which has issued this private certificate.
To mitigate this issue, you can make the browsers trust the Root CA certificate of your Private CA. Once you make the browsers trust the Root Certificate Authority's certificate, then any Private Certificate issued by that AWS PCA would be trusted by the browser. To do this ,you have to retrieve the CA certificate[1] of the PCA and ensure that the certificate is installed within the web browser certificate trust store.
To get the certificate of your AWS PCA's Root CA:-
- Open the AWS PCA console page - https://console.aws.amazon.com/acm-pca/home
- Navigate through the list of Private Cas present and select your Private CA
- Now, go to the "CA Certificate" tab for this PCA and scroll down to the "Additional information" section.
- Here, you will be able to see the Certificate body. Click the button "Export certificate body to a file" and you will get the Root CA certificate in a .pem format file.
- Please follow the steps given in the documentation [2] for trusting a certificate in browser.
Note: The certificate installing procedure changes a bit for each browser (Chrome, Firefox, Safari, etc). Hence, I will be providing you with certain third party articles[2] that you can use to install a CA certificate in your browser trust store. Please be informed that we at AWS do not endorse any third party articles and is provided for better understanding of the issue at hand.
The Root CA certificate has to be imported/installed to the OS/Browser trust store of all the machines in which you want to trust the certificate/ website. After successfully installing the certificate in the trust store of your client machine, you should be able to access your web service securely(via HTTPS protocol).
[1]. https://learn.microsoft.com/en-us/skype-sdk/sdn/articles/installing-the-trusted-root-certificate
Relevant content
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi Saurav,
Thanks for the reply. Yes you understood it correctly. Some problem with the certificate, i managed to fix it. Now i am able to access the web page via the ELB DNS and Route 53 CNAME record. But, when i try to access the webpage from localhost - curl https://localhost I am getting error. When run the command with curl -k https://localhost or curl --insecure https://localhost i am getting the reply. How do we fix this?
Hi Saurav,
As per the AWS documentation - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html#ssl_certificate
under the section "To obtain a CA-signed certificate" Step 4 - Submit the CSR to a CA. How to generate the certificate in Intranet environment(Internal environment) and keep that certificate in the EC2 instance?