Hosting .NET RESTful Engine on AWS EC2 (HTTPS)

In order to run any website/service with HTTPS the website/service must have an SSL/TLS certificate installed on the hosting machine. An SSL/TLS certificate is used to guarantee the client is communicating with the correct server and that the data is communicated in a secure format (encrypted by client and can only be decrypted by the receiving server).

Introduction

There are two main types of SSL/TLS certificates:

1. Trusted
   • Created by a Root Certificate Authority such as DigiCert, Entrust, GoDaddy etc.
   • Costs money (usually between $100 and $700)
   • Automatically trusted by operating systems and browsers
   • Usually used in production or internet scenarios
2. Self-Signed
   • Created by you using a tool like IIS or openSSL
   • Free
   • Must be imported into all client's wanting to access your website/service as a trusted certificate
   • Usually used in development or intranet scenarios

NOTE: TLS 1.3 is the current and most secure protocol

1. Follow all instructions for Windard .NET RESTful Engine hosting on AWS with EC2 (HTTP)
2. Determine the type of Certificate needed. If you do not have access to every possible client machine calling the RESTful web service and/or do not have the ability to install to the trusted certificate store of each client machine, you need to get a trusted certificate.
3. Create the SSL/TLS certificate
4. Install the SSL/TLS certificate for the web server

Trusted SSl/TLS Certificates

Pre-requisite: You must have a registered domain name in order to purchase a trusted SSL/TLS certificate.

With AWS Certificate Manager (ACM)

The major benefit of a certificate from AWS is that it is free! As long as the certificate is hosted on an AWS resource, such as Elastic Load Balancers and CloudFront distributions

Note: You CANNOT install an ACM certificate on an EC2 instance.

Helpful links:

• ACM Reference
• How to install SSL Certifivate on AWS server

With an SSL Certificate Provider

Visit the Certificate Provider of your choice and follow their instructions. Some examples of Certificate Providers are:

• Verisign
• GeoTrust
• Comodo
• DigiCert
• Thawte
• GoDaddy
• Network Solutions

Self Signed Certificates

You should only be using a Self Signed Certificate in non-production scenarios and when the client machines calling your web server can be updated with your Self Signed Certificate as a Trusted Root Certificate.

https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-prerequisites.html

Creating Self Signed Certificate with IIS

1. Start Internet Information Services (IIS) Manager
2. Click on the Server Name in the Connections Treeview on the left
3. Double-Click on Server Certificates icon in the Listview pane
4. Click on Create Self-Signed Certificate in the Actions pane
5. When prompted, specify a name for the certificate
6. You should now see a Certificate in the Server Certificate list with the name you specified.

Now that the Certificate has been created you will need to export it in order to deliver to client machines for importing of the certificate.

1. Select the Certificate in the Server Certificates list that you want to export
2. Select Export... from the Actions pane and a dialog will appear
3. Specify the file location to Export to
4. Specify a password and confirm the password

Associating the SSL/TLS Certificate with the .NET RESTful Web Service

Elastic Load Balancer Association (Recommended)

If your EC2 instance is sitting behind a load balancer then you must associate the SSL/TLS Certificate with the load balancer. Here are some useful links

• Basic information
• Troubleshooting

EC2 Instance Association

If you want to install an SSL/TLS certificate directly on an EC2 instance, you cannot use the AWS Certificate Manager (ACM). Instead, obtain a certificate from a Certificate Provider or create a self signed certificate. Here are some helpful links:

• IIS 8 and 8.5
• IIS 10

Importing Self Signed Certificate into Client Machine Certificate Store

If you have an actual Trusted Certificate, you do not need to import the certificate into the client computer's certificate store.

With Windows Control Panel

1. Browse to the endpoint in Internet Explorer which should use your self-signed SSL certificate. You should be greeted by an error message saying your certificate is not trustworthy.
2. Click “Continue to this website”.
3. Click on “Certificate error” in the address bar, and then click “View certificates”.
4. Export the certificate
5. Right click the windows icon, choose "Control Panel"
6. Network and Internet
7. Click "Internet Options" under All Control Panel Items
8. Choose "Content" tab
9. Click "Certificates" button
10. Browse - select Trusted root
11. Click “Place all certificates in the following store”, and then click “Browse”. Do not rely on the preselected option to automatically select the certificate store as this will not work!
12. Inside the dialog box, click “Trusted Root Certification Authorities”, and then click “OK”.
13. Finish the dialog.
14. On Advanced tab uncheck Warn about certificate address mismatch
15. Restart computer and navigate to .NET RESTful engine url again with https