-
Notifications
You must be signed in to change notification settings - Fork 82
SSL Certificate for Elastic Load Balancing
This section walks you through the steps for creating a private key, creating a certificate signing request (CSR), and for submitting the CSR to a Certificate Authority (CA).
Tasks
You need a unique private key to create your Certificate Signing Request (CSR). Private keys are created using standard key algorithms. You must choose the algorithm based on the ciphers you plan to use for negotiating SSL connections from the client to your load balancer.
After you create the private key, save it in a secure place. There is no way to get your private key if you lose it.
RSA-based Ciphers
Use the followinggenrsa command to generate an RSA key that is 2048 bits. Note that the default RSA key length for OpenSSL is 512 bits, and AWS also supports 1024-bit and 4096-bit keys. However, we recommend you create an RSA key that is 2048 bits.
openssl genrsa -out my-private-key-file.pem 2048ECDHE-ECDSA-based Ciphers
Use the ecparam command and the following syntax:
openssl ecparam -name primev256v1 -out my-private-key-file.pem -genkeyA Certificate Signing Request (CSR) is a file that you send to a certificate authority (CA) to apply for a server certificate.
Use the openssl req command to create a CSR and the following syntax:
openssl req -sha256 -new -key my-private-key-file.pem -out csr.pemThe following is example output:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.
The command runs interactively, prompting you to enter the following information:
Country Name
The two-letter ISO code for your country.
Example: US
State or Province Name
The full name of the state or province where your organization is located.
Example: Washington
Locality Name
The name of the city where your organization is located.
Example: Seattle
Organization Name
The full legal name of your organization.
Example: My Company LLC
Organizational Unit Name
(Optional) Additional information, such as a product name or division.
Example: Marketing
Common Name
The fully-qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.
Example: www.mycompany.com
Example: mycompany.com
Example: *.mycompany.com
Email Address
The server administrator's email address
Example: someone@mycompany.com
Use the following command to verify that the information provided in the CSR file is correct:
openssl req -in csr.pem -noout -textYour CSR contains information that identifies you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proof of identity.
If the request for a certificate is successful, the CA returns a public (identity) certificate and possibly a chain certificate that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.
When you receive your server certificate from the certificate authority (CA), it might be in a format that is not supported by IAM. Typically you receive a public certificate, one or more intermediate certificates, and a root certificate. The intermediate certificates and the root certificate can come bundled in a file or as separate files. The file names may vary depending on the type of SSL certificate you purchase and the certificate authority.
To upload your certificate using AWS IAM, you need the files in PEM format. For more information, see pem DESCRIPTION.
Convert Private Key
Use the following command to convert a private key generated for RSA based ciphers:
openssl rsa -in my-private-key-file -outform PEMUse the following command to convert a private key generated for ECDSA-ECDHE based ciphers:
openssl ecparam -in my-private-key-file -outform PEMConvert Public certificate
This is the certificate you received from the CA. Your public certificate is the domain-specific file. Your public certificate also must be in PEM format; otherwise, use the following to convert it to PEM format:
openssl x509 -inform PEM -in my-public-certificate-fileConvert Certificate Chain
This file is a concatenation of the intermediate certificates and the root certificate one after the other. The certificate chain lets an end user's browser build a certificate chain to a root certificate it trusts. As a result, the browser can implicitly trust your certificate.
If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can skip this step and upload just the public certificate and private key.
Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file.
To create your own certificate chain file, include the intermediate certificates and optionally, the root certificate, one after the other without any blank lines. If you are including the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Any intermediaries that are not involved in the chain of trust path must not be included.
Your certificate chain must be in PEM format; otherwise, use the following command to convert it to PEM format:
openssl x509 -inform PEM -in my-certificate-chain-fileUpload Certificates
After you have your certificate files in PEM format, use the following upload-server-certificate command to upload them.
aws iam upload-server-certificate --server-certificate-name my-server-certificate
--certificate-body file://my-public-key-file.pem --private-key file://my-private-key-file.pem
--certificate-chain file://my-certificate-chain-file.pemWhen you upload your certificates, IAM validates the certificates. If you get an error when you upload a certificate, ensure that they meet the following criteria and then try uploading them again:
-
Certificates must follow the X.509 PEM format.
-
The current date must be between the certificate's start and end date.
-
Public and private certificate files must contain a single certificate.
-
The private key must match the public key in the certificate.
-
The private key must be created using the algorithm based on the ciphers you plan to use for negotiating SSL connections and must be in PEM format.
-
The private key cannot be encrypted with a password.
-
The certificate chain must include all of your CA's intermediary certificates that lead to the root certificate, and optionally ends with your CA's root certificate. Typically, both intermediary and root certificates are provided by a CA in a bundled file with the proper chained order. If a certificate bundle is not available or not available in the required order, you can create your own file similar to the sample certificate chain in Sample Certificates. Use the intermediary certificates that were provided by your CA. Any intermediaries that are not involved in the chain of trust path must not be included.
The order of intermediate certificates should be documented by the CA. Although the root certificate is optional, you can include it so that you can run full chain of trust verifications, such as [SSL Checker](http://www.sslshopper.com/ssl-checker.html
After the server certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and ID. You can request these details for a specific certificate object by referencing the name of the certificate object.
Use the following get-server-certificate command to verify the certificate object:
aws iam get-server-certificate --server-certificate-name my-server-certificateThe response includes the server certificate Amazon Resource Name (ARN) and GUID.
arn:aws:iam::55555555555:server-certificate/production/my-server-certificate
ASCACexampleKEZUQ4K
The first line is the Amazon Resource Name (ARN) and the second line is the GUID. Make a note of the ARN, as you will need it to install the certificate on your load balancer.