HTTPS certificates - how to set on my architecture

Question

I hava a Nodejs/Express application running on AWS. My public URL (www.example.com) is registered in a host provider (SiteGround).

My host provider DNS entry for the application points to AWS (application.example.com points to my AWS public IP).

My host provider has also our company web site running WordPress.

So, if you point to our public URL you get our website. Pointing to the application you get our SaaS login page.

All of that runs fine with HTTP. I have now a task to migrate everything to HTTPS. I've checked how to add HTTPS to nodejs, all fine.

My question is related to certificates. Questions:

a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.

b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?

Answer 1

It does not matter from where you get your certificate as long as your provider gives you an authorized certificate. However, if you use Amazon's certificate manager, it can be be easier to integrate with their services.

If you are serving your application through AWS load balancer then you don't need to add it to the Node.js application, instead you get a certificate through the certificate manager and add it to the listening interface in the load balancer, it gets served automatically this way.

Create a Classic Load Balancer with an HTTPS Listener

HTTPS Listeners for Your Application Load Balancer

If you are serving your application directly, then you will need to add it to the Node.js application (e.g. using https module).

Answer 2

I'll try to answer each question below:

a) Should I get the SSL certificate on my host company or on AWS? Both offers the certificates.

If the Amazon issued certificate is strong enough for your needs, like basic https encryption, I would opt to use them for the sake of simplicity. You just need to fill the form, validate and Amazon is in charge of making it secure and renew it automatically when it expires.

b) Do I need a certificate on AWS (to be added to nodejs) and at my domain (to allow HTTPS domain access) or just in nodejs ?

AWS issued certificates can only be used with AWS managed services such as Application Load Balancer and CloudFront - CDN. There are many docs explaining about how to setup an ELB with AWS Certificate and EC2 Backend, check Create a Classic Load Balancer with an HTTPS Listener

In order to use them inside your EC2 vm you would need to download and configure it in your webserver. I think AWS will never allow it to avoid security breaches.

Answer 3

It doesn't matter how you will get a certificate. You can request free certificates with Letsencrypt using API, you can create certificates in AWS Load Balancer (but don't forget to check if AWS certificate limitations are fine for your case)

AWS LoadBalancer will be in front of your EC2 so it will sign certificates for you.

If you have an option to get certificate files (e.g. you create certificates yourself by using letsencrypt or other cert provider), you should keep certificates on your EC2 instance (if you have multiple instances, you should keep certificates on each instance). And you should use Network Load Balancer on tcp level, so NLB will just proxy your traffic which was already signed correctly.

Also you can use existing third-party solutions from AWS marketplace or non-AWS solutions. E.g. you can use AWS Kilo SLL. It is easy to setup, it will create and renew certificates for your domains. So you will have just an extra EC2 isntance which will sign all your traffic depending on the request domain. Mostly sure there are other alternatives similar solution to use, for our 240 domains Kilo works fine