+86 135 410 16684 如果你在使用中有任何aws上云服务器维护问题,可以随时联系我们!AWSOK你最好的合作伙伴!Mon. - Fri. 10:00-22:00

AWS & OpenSSL : Creating / Installing a Server SSL Certificate

AWS & OpenSSL : Creating / Installing a Server SSL Certificate

Note

Nginx is installed on our aws instance. Here is our default page:

The first picture below is a simple page for an http request, but the 2nd one is for a https request:

 

To make https to work, we’ll install OpenSSL and get certificate.

 

Creating a Server Certificate

In this section, we’ll learn how to manually create a X.509 public key certificate for use with AWS, which we refer to as a server certificates.

In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm. – wiki

 

Install SSL certificate

We downloaded our certificate from Godaddy, and instruction for the installation can be found here:

INSTALL SSL CERTIFICATES.

Actually, rather than installing the certs, we want to copy our key and certificate files from one of our Apache2 ssl configuration directory. Now we just need to copy them over to our Nginx configuration to take advantage of these by adjusting our server block files. Nginx versions 0.7.14 and above (Ubuntu 14.04 ships with version 1.4.6) can enable SSL within the same server block as regular HTTP traffic.

For our Nginx (1.1.19), here is the INSTALLING AN SSL CERTIFICATE – NGINX.

server {

        listen 443 ;

        ssl on;
        server_name subdomain.mysite.com;
        ssl_certificate /etc/nginx/ssl/mysite.chained.crt;
        ssl_certificate_key /etc/nginx/ssl/mysite.key;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
}

To configure an HTTPS server, we enabled the ssl parameter on listening sockets in the server block, and we specified the locations of the server certificate and private key files.

The server certificate is a public entity. It is sent to every client that connects to the server. The private key is a secure entity and should be stored in a file with restricted access, however, it must be readable by nginx’s master process. The private key may alternately be stored in the same file as the certificate in which case the file access rights should also be restricted. Although the certificate and the key are stored in one file, only the certificate is sent to a client. (Configuring HTTPS servers)

$ pwd
/etc/nginx/ssl

$ ls -la
-rw------- 1 ubuntu ubuntu 3197 Aug  9 23:51 godaddy_bundle.crt
-rw------- 1 ubuntu ubuntu 5084 Aug 10 18:53 mysite.chained.crt
-rw------- 1 ubuntu ubuntu 1887 Aug  9 23:51 mysite.crt
-rw------- 1 root   root   1675 Aug 10 17:22 mysite.key

Note that we created the mysite.chained.crt by concatenating the crt and key:

$ cat mysite.crt godaddy_bundle.crt > mysite.chained.crt

 

Openssl command-line utility

Browsers usually store intermediate certificates which they receive and which are signed by trusted authorities, so actively used browsers may already have the required intermediate certificates and may not complain about a certificate sent without a chained bundle. To ensure the server sends the complete certificate chain, the openssl command-line utility may be used (Configuring HTTPS servers), for example:

$ openssl s_client -connect www.godaddy.com:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=5510922/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy INC./CN=www.godaddy.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
KGIIHLzCCB
...
TRHZ+VMdie
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=5510922/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy INC./CN=www.godaddy.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5947 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 989140829681B4E5C5D761CFB6FEC907547022D2EE84DC4AB46D6DD38D028765
    Session-ID-ctx:
    Master-Key: 9AB51A37DF52F04C8C214CA8570714BD3663F8AD6060555ABF007443B7306CEB48F4AB00DE77782D2D593816D9583E2A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - d3 4f a1 2e ac c5 7a 86-03 9e 74 3c 8e 31 66 fe   .O....z...t<.1f.
    ...
    0090 - e5 cb 56 3a 23 2f 56 26-a0 f3 e7 eb f0 84 61 4d   ..V:#/V&......aM

    Start Time: 1439306681
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed

If a certificate bundle has not been added, only the server certificate #0 will be shown.

For more detail, check Understanding the output of openssl s_client.

 

Show SSL certificates with cURL

 

$ curl -v https://subdomain.mysite.com
* Adding handle: conn: 0x7f844a803a00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f844a803a00) send_pipe: 1, recv_pipe: 0
* About to connect() to subdomain.mysite.com port 443 (#0)
*   Trying 54.193.31.139...
* Connected to subdomain.mysite.com (54.193.31.139) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: *.mysite.com
* Server certificate: Go Daddy Secure Certification Authority
* Server certificate: Go Daddy Class 2 Certification Authority
> GET / HTTP/1.1
> User-Agent: curl/7.30.0
> Host: subdomain.mysite.com
> Accept: */*