Creating and uploading a SSL certificate to Elastic Load Balancer
D
Derek H DeJonghe
started a topic
almost 12 years ago
This document will explain how to generate a certificate signing request and upload a certificate to a Amazon Web Services Elastic Load Balancer.
Terminology:
CA - Certificate Authority. CA is an entity that issues digital certificates for use by other parties.
CSR - Certificate Signing Request. CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
PEM - Privacy-enhanced Electronic Mail. The .pem file name extension is used for a Base64-encoded X.509 certificate.
1. Download and install OpenSSL utility
An easy way to work with SSL certificates is to use OpenSSL command line utility.
You can download this utility by using common packet managers:
CentOS:
~> sudo yum install openssl
Debian / Ubuntu:
~> sudo apt-get install openssl
2. Generate a Private Key
Generate a new Private Key with OpenSSL command line utility.
~> openssl genrsa -out privkey.pem 2048
There is now a file in your current directory called privkey.pem (save and keep this Safe)
Note: The last argument in this command is the key size values less then 2048 are considered insecure and therefore not commonly used. Another common size is 4096.
3. Generate CSR
Use the Private Key to generate a Certificate Signing Request.
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Michigan Locality Name (eg, city) []:Ann Arbor Organization Name (eg, company) [Internet Widgits Pty Ltd]:RightBrain Networks Organizational Unit Name (eg, section) []:DevOps Common Name (e.g. server FQDN or YOUR name) []:www.example.com Email Address []:ops@example.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
After issuing the command you will be prompted for information about the certificate, fill these out accordingly.
After filling out this information there will be a file in your current directory called cert.csr (send this to CA)
4. Getting the certificate signed
You can send the CSR to any CA you prefer. They will verify and respond back with a certificate and their CA bundle.
Do Not send them your Private Key.
5. Upload to Elastic Load Balancer
When you receive your signed certificate from the CA navigate to the Elastic Load Balancer you'd like to have serve this certificate.
Lets edit the listeners on this Load Balancer by first selecting the Load Balancer and then Listeners.
Load Balancers come preconfigured with port 80 mapped to port 80. We want to create a new Listener with port 443 mapped to port 80 for SSL.
Change the First drop down to HTTPS and click Select under SSL Certificate. ( If you have existing certificates on AWS you can select one from the drop down )
Name the certificate what ever you like this is how it will be identified within the AWS console.
Copy and paste in your Private Key.
Copy and paste in your Certificate and CA bundle received from the Certificate Authority.
Derek H DeJonghe
This document will explain how to generate a certificate signing request and upload a certificate to a Amazon Web Services Elastic Load Balancer.
Terminology:
CSR - Certificate Signing Request. CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
PEM - Privacy-enhanced Electronic Mail. The .pem file name extension is used for a Base64-encoded X.509 certificate.
1. Download and install OpenSSL utility
An easy way to work with SSL certificates is to use OpenSSL command line utility.
You can download this utility by using common packet managers:
CentOS:
~> sudo yum install openssl
Debian / Ubuntu:
~> sudo apt-get install openssl
2. Generate a Private Key
Generate a new Private Key with OpenSSL command line utility.
~> openssl genrsa -out privkey.pem 2048
There is now a file in your current directory called privkey.pem (save and keep this Safe)
Note: The last argument in this command is the key size values less then 2048 are considered insecure and therefore not commonly used. Another common size is 4096.
3. Generate CSR
Use the Private Key to generate a Certificate Signing Request.
~> openssl req -new -key privkey.pem -out cert.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Michigan
Locality Name (eg, city) []:Ann Arbor
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RightBrain Networks
Organizational Unit Name (eg, section) []:DevOps
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:ops@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
After issuing the command you will be prompted for information about the certificate, fill these out accordingly.
After filling out this information there will be a file in your current directory called cert.csr (send this to CA)
4. Getting the certificate signed
You can send the CSR to any CA you prefer. They will verify and respond back with a certificate and their CA bundle.
Do Not send them your Private Key.
5. Upload to Elastic Load Balancer