How to add Amazon issued SSL Certificate to tomcat?

Question

How can I secure my site from http://my_site to https://my_site

I am running Apache Tomcat and I have the AWS Certificate and Elastic Load Balancer having my EC2 instance.

Answer 1

Essentially you cannot add Amazon issued certificates to Tomcat: you cannot retrieve the private key of the certificate.

However, you can deploy the certificate on ELB (elastic load balancer). You have to ensure that ELB is listening on port 443.

You will find step by step instructions on AWS documentation (http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html#create-https-lb-clt).

Answer 2

Apparently you can download your private certificate's keys now - https://docs.aws.amazon.com/acm/latest/userguide/export-private.html

Answer 3

These answers are somewhat confusing in that they don't really address what is going on. With an ELB that is the first HTTP server the client's browser is going to come to when they type in yourdomainname.com. So the client's browser is establishing a SSL/TLS communication with the ELB, not your tomcat server. Therefore, the certificate and private key must belong on the ELB; not your tomcat server. The ELB is going to open up a new HTTP connection to your tomcat server. That connection can be one of the following:

1. An unencrypted HTTP connection
2. An encrypted HTTPS connection

With #1 you don't need a certificate on tomcat because it's just using HTTP. But for #2 you will. However, that certificate doesn't have to be a trusted and verified certificate. You can use a self-signed certificate because the ELB isn't doing trust verification on your hostname, root certs, etc. But the connection will be encrypted. Now you could put the same certificate on tomcat as ELB, but spreading that cert around is a security risk especially if you have 20 servers running that all need certs. It's best to have the ELB be the single location of it. (The reason why amazon doesn't offer you to download the private key).

Depending on your circumstances #1 or #2 is acceptable, but some situations where adhering to regulations is important #2 will be the only option. If you have to have end-to-end encryption then you gotta do #2.

How you solve this situation is going to be how you go about deploying your application. If you manually deploy it then you can generate a SSL with keytool and put it on your servers. But, if you do any sort of automation for deployment, especially using containers, you'll have to have a mechanism to generate SSL keys or copy them from shared location upon deployment. This is complicated, and I get the impression not many people actually do #2 because of the complexity it causes to deployments.