I'm familiar with creating a CSR (via openssl) on a webserver and submitting it to a CA to purchase an SSL cert.
A site we're building (using Elastic Beanstalk) has a requirement that certificates are managed via a HSM. I think AWS CloudHSM is the correct tool to use here? I have:
Created the EB environment in a VPC with public and private subnets
Requested and assigned an SSL cert to the environment via AWS Cert
Manager (at this point, I have a working site over https, just no HSM)
Created a HSM cluster in the same VPC, and downloaded its
CSR.
At this point, the docs (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) leave me a bit stuck.
It says, "Your CA signs the CSR, which creates a signed certificate. Then you provide the signed certificate and your CA's issuing certificate to initialize the cluster."
Fine. Except if I try to upload this CSR to (ie, Verisign, GlobalSign) I get "Certificates with internal names are no longer permitted". Which makes sense - I'm not requesting a cert for a site's external domain name, the cert is for the HSM: which, I'm guessing, I'll then use to create an openssl cert once its CSR has been signed.
Basically, I'm very confused about how a HSM fits into the otherwise simple SSL-requesting procedure of: generate CSR, submit to CA, install cert on webserver. Especially given my added complications of doing this all with Elastic Beanstalk and AWS ACM rather than just dumping a cert file on the server and updating the Nginx conf.
How does it all work ??
Since posting this question a year ago, AWS have updated their documentation on how to set up SSL offload with a CloudHSM. By following that documentation, I was able to set up a separate EC2 instance - outside of ElasticBeanstalk - for SSL termination. It's still not possible, AFAIK, to use a CloudHSM directly from within ElasticBeanstalk.
Related
I have a VueJS front-end application running on S3 being served as a static website.
I have a NodeJS (behind an nginx reverse proxy, plus a few other services) backend application running on an EC2 instance that the VueJS app talks to (over http currently).
I have a domain successfully pointed at the VueJS app (S3 bucket) with the configured SSL certificates using Route53 / CloudFront / ACM.
However, now the VueJS app will not communicate with the EC2 instance backend as it is still using HTTP which is now not allowed.
So what is the best way to configure this? I can't run certbot on the ec2 instance and generate an SSL certificate for my domain as there are certificates already being used for the S3 bucket.
Should I just create a self-signed certificate?
Can I create another certificate for a subdomain perhaps (api.example.com say) and set up DNS record for that to point to my EC2 instance IP address?
How is this usually done, what is best practice?
So a self-sign cert wont work, it wont pass validation as there is no known CA behind it ( Certificate authority) I mean you can install it but the browser is going to complain..
Im not sure I understand why you cant use certbot.. s3 / ec2 are two seperate services so I'm a bit confused here?
You can use letencrypt to generate a cert for the server and have it installed as well but if you have clusters you may be better served by installing it on the actual ALB, however this does not ensure end-to-end if the cert is not installed on all backend systems, (that would require installing the cert on all systems in the cluster) You requirements will dictate this really.
If you are unable to generate a cert with letsencrypt you can get an SSL from ssls.com and just installed the PEM or CRT on the server / load balancer too though.
Usually you create some subdomain like you said for your api and create a certificate for that subdomain. On AWS in particular, you can use an elastic load balancer and use ACM /Route53 with that for ease of certificate management, but that does carry costs of the load balancer.
Alternative is to just put an API gateway in front of your EC2 instance as a reverse proxy, which will carry some costs, but maybe not as much depending on traffic volume.
So my team just moved my website from another host to Amazon Lighsail (Wordpress) on the previous host it's already secure (HTTPS), my team also already upload my own cert using Certificate Manager but how to connect it to the Lightsail ?
PS : we already ask the support there, but they only give me the documentation how to use load balancer, ignoring that we already said our own cert
my own cert using Certificate Manager but how to connect it to the Lightsail ?
You can't use AWS ACM SSL certificates on instances. They can be only used on load balancers, CloudFront distribution and API Gateway. It does not matter that it is imported cert or not.
To use your own SSL cert, you have to setup your Lightsail instance yourself, without ACM. Usually it is done by using nginx as a reverse-proxy in front of your application and manually configuring it to use your SSL certificate. ACM is not involved in this process. Its fully manual setup on your behalf.
I created an SSL certificate last night for use with an API (Tomcat, Spring Boot) on AWS Elastic Beanstalk using instructions provided by Amazon Certificate Manager.
When creating the cert, I entered the URL of my static site that calls the API, which is hosted by GoDaddy. ACM sent an email to my URL which I opened and approve and I now see the cert as issued, by Amazon, in my certs. I am also able to select it when I configure HTTPS for my EB load balancer. I am not able to export this cert though as it isn't private.
My question is, how is domain name used? I think I'm a little confused about how to use SSL on both my API and my static site AS WELL as the small bit of static content I'll host out of Tomcat.
Thanks.
ACM certs can only be used with AWS services - Cloudfront (if the cert is issued in us-east-1) and regionally on the classic load balancer and application load balancer.
You cannot export the cert for use in other products, so if you wanted to have Tomcat handle SSL you would need to get either a commercial cert or use something like Let's Encrypt.
If you have multiple host names you want to protect, you have different options.
You can get one cert per hostname if they are running on completely separate infrastructure; you can also have multiple host names in a single cert - even if there are multiple domains; and finally you can get a wildcard cert.
I am running a Qualys scan on a Windows EC2 instance and it reports some vulnerabilities. One of them is "SSL Certificate - Subject Common Name Does Not Match Server FQDN".
Solution for this, as recommended by Qualys, is to "Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN."
Now the problem is the self-signed certificates which are not verified by a third party.
How do i get a valid certificate for this scenario such that Qualys does not report the error.
I looked into ACM, but i guess it does not provide certificates for EC2.
Can anyone provide an insight on how to go about this?
Where do i get a valid certificate and how to add it to the instance.
I am using Cloudformation template to create the instacne using a Custom AMI created using packer. I mention this because it would be helpful to know if the steps to add certificate need to be added to the AMI creation stage.
Unfortunately You can not use Certificate issued by AWS Certificate Manager directly on EC2 Directly.
You can use it On Load Balancer and Cloudfront and API Gateways , Refer this.
But a Workaround is that if you have single EC2 Put it behind Classic LB And terminate ssl to LB so that when you try to access your content on ec2 it is via HTTPS.
Thanks
The easiest way to pass a scan like this is restrict access to your instance so your only exposing public services (like HTTP or HTTPS), and then "harden" the configuration of each required public service. All none public services/ports should be limited to just your IP address(/es). That will probably fix a number of your issues reported by the scan.
RDP and numerous other services (MSSQL, MSDeploy, POSH Remoting to name a few) are for administrators only and should not be visible to a Qualys scan (or hackers and bots that roam the internet...).
As Kush suggests above, adding a load balancer would allow you to use ACM certificates for web traffic, but it also adds an additional layer of security between the internet and your instance. This means you can further limit access to your instance to just your VPC - as public web traffic would go via the load balencer in your VPC, not directly to your instance anymore.
If your hosting a website over HTTPS without a load balancer you will also need to edit the SChannel settings (component responsible for SSL/TLS in Windows) to pass the scan as well as installing a valid certificate for the website.
You can edit SChannel by hand in the registry here:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\
(Reboot required - take a snapshot before you start ;)
WARNING - misconfiguring SChannel can break RPD or limit which web browsers can access your site etc. Test carefully!
FYI I find it easier to use a tool called IIS Crypto to configure SChannel (https://www.nartac.com/Products/IISCrypto) - it has a GUI and a CLI interface for scripting changes to SChannel. (You can still break your server with this tool though!)
If you want to look at using ACM and a loadbalencer with CloudFormation i would suggest registering & approving the certificate via the aws console and make a note of the ARN of the certificate. This ARN can be used when creating a loadbalencer in a CloudFormation template.
NOTE: The above will resolve the issue on your scan, but not actually fix it. It is possible to use your own certificate for RDP (never tried), but not an ACM cert sadly. You could also look at a service like LetsEncrypt to get a free/basic certificate. Another option to avoid this error is you could export the self-signed cert from the instance and import it into your computer ( or domain?)'s certificate store.
We built web APIs using Spring Boot. It is currently deployed on AWS Elastic Beanstalk. HTTPS is enabled with a self-signed certificate for development and testing. We plan to go live soon, so probably need to get a public certificate from a Certificate Authority.
Amazon has a certificate manager which is the easiest way to get a certificate for application deployed on Elastic Beanstalk. However, it requires some DNS set up on the server side which means you have to own the domain. I also looked at a popular free CA, Letsencrypt. But it also requires domain validation. We don't own a domain yet. The APIs are still using the long url from Beanstalk environment, something like my-app.us-east-2.elasticbeanstalk.com. I wonder if there is any website to download domain independent certificate which can be used for Beanstalk web applications without a domain?
If somebody could get a certificate for a domain he does not own he would be able to impersonate that domain, for example within a man in the middle attack. This would essentially break the security of HTTPS since encryption will not help to protect your data if you don't do the encryption with the real server but instead with a server owned by the attacker.
That's why there is no such thing as domain independent certificate. And that's why you should not be able to get a certificate for a domain you don't control.