SSL on an EC2 instance without a load balancer

Question

I don't have a lot of experience configuring SSL for a site so there's a good chance I'm missing something, but how does one configure SSL for an EC2 without going through a load balancer?

This is for a server that is used to communicate with a 3rd-party API that requires we white-list our IP address, we can't use DNS.

I followed this guide https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04 but so far my browser is showing a certificate different than the one I'm using. Maybe its cached somehow?

Here is the one I'm trying to use -

-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIJAMkWNQsBzPFcMA0GCSqGSIb3DQEBCwUAMB4xHDAaBgNV
BAMMEyouc3RnLmF1dG9icmFpbi5jb20wHhcNMTcxMTAzMDIwNzIzWhcNMjIxMTAy
MDIwNzIzWjAeMRwwGgYDVQQDDBMqLnN0Zy5hdXRvYnJhaW4uY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA15PhjQTHi6o+2TCAd/dUpZzR1C/ucRfk
8SGr+2Zf/t0L3nNWt01M0EiaDpzqelkTHErwOAyRVWOUAeL/kk2SPqxb1y+mGPUN
TWvKb/UWpaXTuAHmrTngpQaSq8mxxGXlHH/GB664kNhhmQxoCCoBGN/CsDmCrvGw
EWL8rYVPppwiI9yury+XT5GqDEslR2+cSLp9FuuMGrFwwffw4xSCGr8kBeEY4VIr
8gW8E4MBFE37R4e6MhcCTJ2XuNDR69ZuCLM3IC3tiEzf/HmABcoI0/SbeqT/8WJX
9vIu2uoDmLn+Ae+QWEN/hzX5ER3lgBquT4OifBD/9KVJ1rff4hk9FQIDAQABo1Aw
TjAdBgNVHQ4EFgQUUoh2YRTx/ouZlYYCfdRCZycC6EUwHwYDVR0jBBgwFoAUUoh2
YRTx/ouZlYYCfdRCZycC6EUwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAPSfIYBVVbueHgGLiFuBAWLdROA7a2P3SQsZcNsj1reSkPxJ0YB8g4fdyUNwp
wws+SWSBZwkmriXE+NFuECV8uln1OgYcUOmmcT9YT0eNQih9lLq/UtYtq5aWYJR/
0pwfGZ6kasHFOLdcN4SgKloqvJ4wJbt9FwpPpfVQSfh9RNEodMlDTAZQ+w2nXPHQ
VygDrCEle6VVTEzfRiTGP6JB+E4RpDeW1ECpvp1WrNiwEgSbhW3Ek54AK/stQweQ
QYE7OtiFEQtEQiqgu4gXfKjNawqwwu5sb22ot7LvgDgVudscXV40PzFAJzFEOvCr
xJtJ0+JZ37VqFTLmJidH+Hz3Ng==
-----END CERTIFICATE-----

Answer 1

Your description wasn't really clear as to who the parties involved are. It sounds like that cert was given to you by a third party? Are you connecting to their service or are you hosting a service they're connecting to? Based on "used to communicate with a 3rd-party API" I'm assuming they're hosting the service, and you're connecting to them.

Ok, we have some issues here. First, that's not an SSL server certificate (no private key!), so it's not something you'd install on a load balancer or into (eg) nginx. Instead, it's a CA cert, which can be used to sign other certs. "Private" CAs are commonly used to generate 'internal' certificates that don't need to be trusted by third parties. I ran the following command to view the cert (after saving it as 'weird.cert'):

openssl x509 -in weird.cert -noout -text

Inside, I see this is a self-signed CA certificate, evidenced by these particular fields:

Issuer: CN=*.stg.autobrain.com Subject: CN=*.stg.autobrain.com X509v3 extensions: X509v3 Basic Constraints: CA:TRUE

I could be wrong here, but it looks like someone tried to issue their own self-signed wildcard cert for *.stg.autobrain.com, but stumbled and issued a full CA cert instead. Perhaps this cert is then used to sign a 'real' wildcard cert, probably with that same name?

In any case, if they're making services available to the general public, they should use a real CA to do it, as trusting a third party CA opens up some very real security risks on your part, since anyone with access to that CA's private key could issue a cert for basically anything, and any system that trusts that CA would trust any cert generated by it.

My recommendation is to push back on this third party and have them simply acquire an SSL cert signed by a public CA. Once that's done, SSL will simply work, without any extra fuss.