2

should we assign a domain name to our EC2 instance before loading an SSL certification, or we can apply an SSL directly to the elastic ip address we have? thank you

am fs
  • 45
  • 1
  • 5

2 Answers2

1

In general you need a DNS hostname to get a SSL certificate. Your AWS elastic IP address should not change so this is not a factor. If you absolutely do not want to assign a hostname you could consider a self-signed certificate but this will bring it's own set of challenges later. Changing hostnames is not a problem later either unless you specify pinned certs - you can just get a new certificate with the new hostname. Also consider putting in a help ticket with AWS when you have the hostname set up - they will change the reverse DNS for you upon request.

Peleion
  • 303
  • 1
  • 7
0

You assign whichever attribute you will be using to address the service from the relying party (client). For example, if you will be addressing the service by IP address, assign an IP address; whereas if you are using a hostname to address the service, use a DNS name. If you don't, the client will (should?) complain.

Bear in mind that if you opt for the IP address and that subsequently changes, you'll need to modify or replace the certificate.

garethTheRed
  • 4,539
  • 14
  • 22
  • the ip address we are using is static.. I'm new to aws, and all what i found talking about SSL certifications through ACM , require a valid domain name.. Can I use the ip address instead without having any valid domain name through third parties or aws domain management ? if so, can u please recommand links! thank you – am fs Jun 10 '20 at 10:49
  • 1
    @amfs Technically yes, but if you want a public CA to sign the certificate the answer is almost certainly no for policy reasons (they aren't that happy with IP-based certificates in the first place, and you do not even own that IP address). If it's about your own CA that you trust for your own purposes, you can certainly do it. – Håkan Lindqvist Jun 10 '20 at 10:53
  • @amfs - you need to clarify your requirements. As Håkan says, you can't use IP with a public CA, but for internal you could. If your relying party is a single device/service then you wouldn't need to use a 3rd party for assigning a domain name as you could use the `hosts` file on that client. The more you explain in your question, the better chance you have of getting a good answer :-) – garethTheRed Jun 10 '20 at 11:29
  • @garethTheRed this instance is running jenkins on it .. its only one of many services so yes i do need to enable SSL internally. but ACM requires a valid hostname to generate certificates ! why do you recommand and thank you again – am fs Jun 10 '20 at 13:34