I have ssl certificate installed on an AWS load balancer(
app1.company.com) and one instance with Tomcat resides behind the LB.If I open https://app1.company.com:8443/ I can see the connection is secure/valid lock on the url bar. If I open with private IP of Tomcat I see the connection is not secure sign.
I’m aware usually certificates only bind to domain(or are only supposed to). And no one is going to use the IP to reach the application except maybe the team that maintains the application. Now that I need to renew the certificate I am wondering if I should also install it on the tomcat keystore which is specified in $TOMCAT_HOME/conf/server.xml
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/ec2-user/tomcat.keystore" keystorePass="password" clientAuth="false" sslProtocol="TLS"/>Right now this file does not have the imported certificate for app1.company.com(because that is installed on the load balancer)
Would if suffice to simply replace the new certificate in AWS load balancer and leave the Tomcat keystore as it is?
Answer
I suggest you block direct access to the server as that’s a back door into the server and a DDOS attack. I would do this by putting the Tomcat instance into a private subnet. If you must have it in a public subnet I would ensure only a few things can reach it – the ALB (using VPC CIDR range is easiest) and specified IPs. If it’s private you can use AWS Session Manager to access the server from the AWS console.
Your ALB can use ACM (AWS Certificate Manager) which issues and renews certificates free. The only reason I can think to use another registrar is if you need extended validation certificates or some other feature. ACM certificates can only be used on load balancers and in CloudFront, not on your own server.
You could put a certificate onto the instance, but I’m not sure it’s worth the bother.
Attribution
Source : Link , Question Author : Rohini , Answer Author : Tim
