1

How can I secure my site from http://my_site to https://my_site

I am running Apache Tomcat and I have the AWS Certificate and Elastic Load Balancer having my EC2 instance.

Kiran Suvarna
  • 271
  • 6
  • 21

3 Answers3

4

Essentially you cannot add Amazon issued certificates to Tomcat: you cannot retrieve the private key of the certificate.

However, you can deploy the certificate on ELB (elastic load balancer). You have to ensure that ELB is listening on port 443.

You will find step by step instructions on AWS documentation (http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt).

Giulio Paci
  • 303
  • 1
  • 7
1

These answers are somewhat confusing in that they don't really address what is going on. With an ELB that is the first HTTP server the client's browser is going to come to when they type in yourdomainname.com. So the client's browser is establishing a SSL/TLS communication with the ELB, not your tomcat server. Therefore, the certificate and private key must belong on the ELB; not your tomcat server. The ELB is going to open up a new HTTP connection to your tomcat server. That connection can be one of the following:

  1. An unencrypted HTTP connection
  2. An encrypted HTTPS connection

With #1 you don't need a certificate on tomcat because it's just using HTTP. But for #2 you will. However, that certificate doesn't have to be a trusted and verified certificate. You can use a self-signed certificate because the ELB isn't doing trust verification on your hostname, root certs, etc. But the connection will be encrypted. Now you could put the same certificate on tomcat as ELB, but spreading that cert around is a security risk especially if you have 20 servers running that all need certs. It's best to have the ELB be the single location of it. (The reason why amazon doesn't offer you to download the private key).

Depending on your circumstances #1 or #2 is acceptable, but some situations where adhering to regulations is important #2 will be the only option. If you have to have end-to-end encryption then you gotta do #2.

How you solve this situation is going to be how you go about deploying your application. If you manually deploy it then you can generate a SSL with keytool and put it on your servers. But, if you do any sort of automation for deployment, especially using containers, you'll have to have a mechanism to generate SSL keys or copy them from shared location upon deployment. This is complicated, and I get the impression not many people actually do #2 because of the complexity it causes to deployments.

chubbsondubs
  • 37,646
  • 24
  • 106
  • 138
  • Thanks @chubbsondubs. I was confused about the need for these two layers of certificates. ACM cert is only valid for one region. So are you saying I could (or NEED) a separate self signed cert for every instance of tomcat on all instances of Tomcat in multiple regions – SriniMurthy Jul 25 '23 at 01:04
  • 1
    If you want end-to-end encryption then YES. Every server needs a certificate to protect the connection from ELB to Tomcat server. It doesn't have to be a separate cert per server. You can share the cert. It's best if you can pull down a cert from a shared secret service. Docker offers secrets which would work or AWS Secrets Manager. But you'll need some special code to download the secret for AWS so it's there before Tomcat starts up. Spring Cloud I think has a solution for this. – chubbsondubs Jul 25 '23 at 18:01
0

Apparently you can download your private certificate's keys now - https://docs.aws.amazon.com/acm/latest/userguide/export-private.html

Vivek
  • 318
  • 1
  • 5
  • 17