Initial Configuration

Install AWS EB CLI

Follow the instructions on the AWS Beanstalk Guide to install AWS EB CLI:

Clone the Repository

Clone this repository and cd to its directory in Terminal

Add elasticbeanstalk config

Download the file, copy the zip file to root of the cloned repository folder, and unzip it. Inside is a hidden folder called “.elasticbeanstalk” that contains configuration files.

Add required config values

Use a text editor (such as TextEdit) to open the file at: 


This file will contain some configuration values that should remain unchanged, as well as some that require a new value to be entered.

The text ######### ENTER VALUE are shown for each area that requires a new value. Remove ######### ENTER VALUE and replace it with new values as follows:


Skip if a value has already been provided.

Otherwise, generate a long secure value to use. If Ruby on Rails is already installed, this can be done by going to the repo root in Terminal. Type rake secret | pbcopy to generate a secret key base, copy it to the clipboard, and paste in your text editor.


Add an email address to display as the sender when the application sends email.


Enter the domain name to be used for the application (you can add or change this later via the AWS Console):


Add values for an email service such as Mandrill (can be initially skipped):



Enter a secure value for DBPassword to use for the database created. 

If desired, you can also edit the value for DBUser to any valid value to use as the database user name. If not, just leave the default value.


Use AWS Certificate Manager to create an SSL certificate, copy-pasting its ARN.

Notification Endpoint

An email address entered here will receive notifications monitoring AWS application health.

EB Init

In Terminal from the repo root, run the command eb init; follow the prompts to select or create an SSH key pair:

CodeCommit: no

Set up SSH: yes

Select a key pair: Create new key pair named aws-eb —or— Select an existing key pair

IAM roles

The Elastic Beanstalk configuration file references two standard AWS IAM roles used for permissions when deploying to Elastic Beanstalk.

If Elastic Beanstalk was previously used for the current AWS account, no new values are needed: these IAM roles were previously created. You can confirm this in the AWS web console by opening the IAM section, clicking “Roles”, and checking that both roles below are shown: 


If these IAM roles do not exist, the easiest way to add them is to run the command below; this will create an environment for the application without specifying any configuration:

eb create temp-env

After running the above command, proceed immediately to the next section to create the environment.

Create Environment

(If needed, use Control-C (^-C) to quit the command above for create temp-env)

In Terminal from the repo root, run this command to create the environment: 

eb create signing-service-env --cfg signing_service_template

The command will run for about 15 minutes, creating an environment for the application using the configuration template file.

Once Terminal prints the output message saying it is safe to do so, use Control-C (^-C).

Then, run these commands:

eb use signing-service-env
eb console

Wait for environment creation to be completed, then proceed to the next section.

AWS Application Configuration

EB Open

In Terminal, run the command eb open to open the application in a browser. Click through any security warnings to load the page: initially, there is a mismatch between the app URL and the SSL certificate, though this is later resolved in the Domain section below.

Once the application is loaded in a browser, sign in with your initial credentials. These initial credentials are sent via email and must be changed at first login.

Enter the license key file provided and accept the User Agreement. 

Click on “Users” to change the administrator password and email address.

Remove temp-env

If temp-env was created as specified in the section for IAM Roles, temp-env will need to be removed once the main app environment is confirmed. From the AWS web console, go to Elastic Beanstalk environments and find temp-env.

Once on its page, find the “Actions” button in the top right, then click “Terminate environment”. Enter the name temp-env when prompted to confirm.


To resolve the SSL warnings, configure a domain for the application. If the domain is managed in AWS Route 53, create an alias record pointing to an Elastic Beanstalk environment. Then, select the environment for this application.

SSH Access

In Terminal, type eb ssh to SSH to the instance if needed. The app content is located at /var/app/current.