Skip to main content

how to install ssl certificate on tomcat at aws ec2 instance

Stpes to Install SSL Certificate at tomcat in aws ec2 instance

1) Generate CSR
2) Purchase Your SSL Certificate
3) Activate your SSL Certificate.
    1) Download Certificate File
    2) Convert into required formate
4)    Create Elastic Load Balancer.

1) Generate CSR

Before we go ahead we should have aws account and we have a ready tomcat in ec2 instance should should is running inside it.

Connect your EC2 instnace through putty or terminal in mac.

by entering following command in terminal (MacOs)

Last login: Wed Apr  3 08:14:13 on console
Mukeshs-MacBook-Air:~ mukeshchoudhary$ sudo ssh -i Desktop/AWS-2019/touristvisaonine2019.pem
Last login: Sat Mar 30 12:44:15 2019 from

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
13 package(s) needed for security, out of 20 available
Run "sudo yum update" to apply all updates.
-bash: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
[ec2-user@ip-172-31-31-148 ~]$ 

After Successfull Connection we have to generate CSR. by running this command.

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

After running this command it will generate CSR and server.key in your default location.

But we have to enter the following information as follow.
[ec2-user@ip-172-31-31-148 ~]$ openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
writing new private key to 'server.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Uttar Pradesh
Locality Name (eg, city) [Default City]:Noida
Organization Name (eg, company) [Default Company Ltd]:Tourist Visa Online E - Visa Services
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[ec2-user@ip-172-31-31-148 ~]$ 

Note Points : Do not enter email address and challenge password and optional company name. just simply press enter or skip by entering these fields.

This command will generate 2 files one is server.csr and another one is server.key file

Note Point : While installing certificate in AWS Certificate Manager (Elastic Load Balancer) AWS Certificate Manager Demand all the files should be in PEM encoded so we need our server.key file in pem format so we can convert it by entering this command.

openssl rsa -in server.key -outform PEM > server.private.pem

As Follow
[ec2-user@ip-172-31-31-148 ~]$ ls
GeoLite2-Country.mmdb  server.csr  server.key  touristvisaonline.war
[ec2-user@ip-172-31-31-148 ~]$ openssl rsa -in server.key -outform PEM > server.private.pem
writing RSA key
[ec2-user@ip-172-31-31-148 ~]$ ls
GeoLite2-Country.mmdb  server.csr  server.key  server.private.pem  touristvisaonline.war

[ec2-user@ip-172-31-31-148 ~]$ 

Now we have to submit this CSR to our CA authority from where we bought SSL Certificate he will provide the certificate.

After Download Go to AWS Certificate Manager.

and Choose Provision Certificate.

Then Click on Import a Certificate

After Click on Import Certificate you will get window like this in which we have to enter details very carefully.

First Section We have to Enter Our Certification Body Means Original Certificate in PEM Encoded.

At Place of "Certification private key" we have to enter PEM encoded server.key that is generated in first step along with CSR.

in last "Certificate Chain" we have to convert all the intermidate certificate in chain and then convert into pem encoded and we have to enter it here.

Like suppose in our certification we have following files

1) COMODORSADomainValidationSecureServerCA.crt
2) COMODORSAAddTrustCA.crt
3) AddTrustExternalCARoot.crt
4) ..... one more here

So first 1,2,3 are intermidate certicate we can combine all these in one file that is  server.chain

by this command

sudo cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt  > server.chain

Note: these are steps for comodo ssl certificate .

But If you download certificate from Godaddy then your certificate will contains only 3 files
1) bc3c2b1562fc680f.crt . -- origianal ceriticate file
2) gd_bundle-g2-g1.crt . -- this is certificate chain
3) gdig2.crt.pem  -- certificate private key but this should be pem encode so while i past at aws i got an error so i copied server.private.pem that is generated in 1st step.

After Installing Certificate in ACM we are ready to use this ceriticiate in our AWS Load Blanacer as follow.

Use Your Certificate with an Amazon Elastic Load Balancer

The easiest way to provide HTTPS access to web resources running in your AWS instance is to set up an Elastic Load Balancer and configure it with your new SSL certificate. This lets Amazon handle the certificate configuration for you so you don’t have to worry about making sure your specific web server is configured properly to support HTTPS.
Follow the AWS Console Elastic Load Balancer Setup Wizard to begin creating a new Elastic Load Balancer. On the first screen, make sure you add Protocols for HTTPS. You can have HTTP as well if you want to provide non-encrypted access to your resources.
Select the Security Group for your Elastic Load Balancer. If you are creating your ELB inside a VPC, you should probably select the default security group which will allow inbound traffic from all other instances in the security group and outbound traffic to anywhere.
The third screen is the tricky one. This is where we set up our SSL Certificate for the first time. The good news is that once you complete this process, you can just keep using the same certificate for other subdomains you might create in the future. You need the wildcard certificate in order to do this, of course.

Easy way to install ssl certificate in aws is through Amazon Elasti Load Balancer 
there are 3 types of load balancer 
1) Application Load Balancer 
2) Network Load Balancer
3) Class Load Balancer 

For ssl we have to choose classic load balancer

Select Classic Load Balancer first then click on create.

Now we have to define Load Balancer Name. then we have to use define Load Balancer Protocal and port and Instance protocol and port. (Keep in mind here we can use different port for Load balancer and instance port but we internally redirected port in tomcat and here we are keeping like this. meansy any request come from end user to loadbalncer may be at port http or https 80 or 443 but internally it will go on port 80 to tomcat. which we internally redirect by ip rounting table to port 8080.) once we done then click on Next Assign Security Group.

Now choose security group very carefully we have selected already created security group.

Step 3 : in this setup we have to configure security settings like SSL. 

If we have already installed certification in ACM then we  can use from below three option as Certification from ACM.

Step 4 : Select Configuration Health Checkup.

Here we can define checkup page name. We can also customize option like Response timeout. 
Unhealthy threshold means after that particular attempts between internals it will give a notification like 30 sec internal will attempt 2 times if server didn't response then will considered as unhealthy instance. 

Step 5. We have to add our EC2 Instance that we want to attach with our Load Balancer. 

Here we will selected available instance from this table and will attach to it.

Step 6. We have to attach the tags.

Finally we have to review and create our classic load balancer. 

Now finally we are done with Classic Load Balancer.

Once our classicload balancer is created now to pass traffic from classic load balancer we will use instead of A record in route 53 we will use classicload balancer DNS name with www version like as shown here we will choose Alias checkbox and then from Alias Target we will choose our classic load balancer DNS A Record.

TO redirect for http to https then we have to create a bucket first with the name of domain like and then we have to change from static ...

Step 1. First Create a Bucket with domain name like  - or 
with default configuration. once you will create a bucket now its look like this.

Now we have to Select bucket and then we have go to "Properties"  > Static Website Hosting.

Step 3 : Now we have to go to "Route 53" where we will create a record set called aliase you can see in below image right and side we have created this record set.


Steps to be followed to achieve this requirements.
1) Create S3 Bucket with any name. as we have created with

2) Create CloudFront Distributions. by Clicking on Create Distributions.

3) Step select type of distributions.(here we will select Web and then click on Get Started.)

4) Enter the following information as shown in pictures.

Now we have created our web distribution.

Step 5) To access this web distribution through Alternate Domain Names
(CNAMEs) we have to create a record set in route 53 as follows 

Step 6 ) We can also use AWS provided SSL certificate for s3(static assets )

A. First Choose ACM for Request for Certificate.

here we have to enter our domain like * or (* then click on next.

like as shown in below picture.

Now we have to validate our subdomain ssl certificate by creating CNAME record in our Route 53. You can create a record set in route 53 by just clicking on Create Record in Route 53. and then click on continue.
Once you create a record set then it would take some time (Around 15-30 minutes) and you will get status as verified.

Once this certificated is issued we can use this certificate in cloudfront.


Some time when we took server restart after deploying war file. classic load balancer will go . "OutofServices" to reslove this issue we have to change timing of Health Check in classic load balancer because what happen when we took the restart tomcat may take more time then usually healthcheck happen so if healthcheck failed continuously then it go out of service. so to resolve this issue we can change health check timing as shown.


A) If you want to solve CROS problem then we have to change in cloudfront by changing Whtelist Header

as shown in picture.


  1. Everything is well explained well in this article. But, I have got a question: Where can I download this certificate? I haven't found any links here.


Post a Comment

Popular posts from this blog

Digital Marketing

What actually is Digital Marketing? This post will help you understand the insights of Digital Marketing What is Digital Marketing? Digital Marketing is an integral part of the overall marketing strategies of any business. It basically covers the advertisement of products/services/business/brand via digital channels. The digital channels could be of any type like websites, search engines, social media, emails, SMS, and MMS. In case if you're using all these digital channels for the marketing, make sure to have all the statistics & workflow of your campaigns via marketing automation. What are the types of digital marketing? Well, there are 6 core digital marketing types: Search Engine Optimization (SEO) : Search Engine Optimization is nothing but a long-term process of improving your website rankings on search engine results pages (SERPs), which in turn has a wide range of tactics & strategies to implement. Although there is no specific method or a  spec

Changing the Time Zone on Amazon Linux Ec2 Instance

Amazon Linux instances are set to the UTC (Coordinated Universal Time) time zone by default, but you may wish to change the time on an instance to the local time or to another time zone in your network. Important These procedures are intended for use with Amazon Linux. For more information about other distributions, see their specific documentation. To change the time zone on an instance Identify the time zone to use on the instance. The  /usr/share/zoneinfo  directory contains a hierarchy of time zone data files. Browse the directory structure at that location to find a file for your time zone. [ec2-user ~]$ ls /usr/share/zoneinfo Africa Chile GB Indian Mideast posixrules US America CST6CDT GB-Eire Iran MST PRC UTC Antarctica Cuba GMT MST7MDT PST8PDT WET Arctic EET GMT0 Israel Navajo right W-SU ... Some of the entries at this location are directo

How do I change the time zone of my Amazon RDS database instance?

As we know bydefault time in the format of UTC in mysql.We can set local time zone to our AWS RDS Instance for our application. or any other time zone prefared Cloud Based Website Hosting Service Provider Steps 1: Go to Services and Select RDS Now to change time zone we have to change "Parameter Group" in left side that is associated with DB instance first we can check default Parameter Group for our instance is Parameter group default.mysql5.7  ( in-sync ) like this. So we have to change the time zone in this Parameter Group.  now open that parameter group (default.mysql5.7)  and click on edit parameter. then search for time_zone (because we want to change it.) then we have to change time_zone only by default it is engine-default (that is utc)  we have to select Asia/Calcutta.  More information we can ref.