Wednesday, October 1, 2014

How to generate and applying SSL on Amazon ELB

In order to successfully install an SSL certificate you need the following things

CSR file
Private key
Certificate key
Certificate chain

I am assuming the below,

Domain Name: testssl.com
Certificate Provider: GoDaddy.com

1. Initiate a CSR

openssl req -new -newkey rsa:2048 -nodes -keyout testssl.key -out testssl.csr

After this command you need to provide the details about the organization and what type (wildcard or subdomain) of certificate you are going to generate.











Now you have completed generating the private key and the CSR.

This will create below files
testssl.csr--will be used in creating certificate on GoDaddy or other certificate issuer authority like verisign,digicert etc.
testssl.key--> Private key (need to convert in pem format)

2. Go to GoDaddy and use testssl.csr file to create the certificate. It will create the certificate and you can download that from that console. You have to tell what type of certificate (Apache, IIS, Nginx, Plesk or Tomcat etc)

This will have two files.

6eba0aaxxxx.crt  certificate file for your domain
gd_bundle-xxx.crt  is your certificate chain file

Now in all you need the below three files:

testssl.key--> Certificate private key file, you generated as part of your request for certificate
6eba0aaxxxx.crt-->  certificate file for your domain--Public Certificate – The public facing certificate provided by your certificate authority
gd_bundle-xxx.crt-->  Certificate Chain – An optional group of certificates to validate your certificate


3. Convert private key to PEM type

Amazon Web services work with PEM files for certificates and you’ll note none of the files we received were in that format. So before using the files, they have to be translated into a format that Amazon will understand.

Private key

The private key is something that you generated along with your certificate request. Hopefully, you kept it safe knowing that you would need it again one day. To get the Amazon supported format for your key,

openssl rsa -in testssl.key -outform PEM -out testssl.pem

this will create testssl.pem

Public certificate

The public certificate is the domain-specific file that you receive, This certificate file must be changed into PEM format for Amazon to use (your certificate might already be in PEM format, in which case you can just open it up in a text editor, copy the text, and paste it into the dialog). You can convert the certificate file into PEM format:

openssl x509 -inform PEM -in 6eba0aaxxxx.crt -out testssl-cert.pem

Certificate chain

The certificate chain is exactly what it sounds like: a series of certificates. For the AWS dialog, you need to include the intermediate certificate and the root certificate one after the other without any blank lines. Both certificates need to be in PEM format, so you need to go through the same steps as with the domain certificate.

openssl rsa -inform PEM -in gd_bundle-g2-g1.crt -out testssl-cert-chain.pem

4. Now you have three files:

testssl.pem -> private key (Generated with CSR)
testssl-cert.pem -> public certificate (domain)
testssl-cert-chain.pem -> certificate chain


5. Go to your AWS console>ELB>select the desired ELB> click edit to upload the new certificate

Certificate Name: any-name (name of certificat on Amazon to remember)
Private Key: vim testssl.pem > copy and paste it here
Public Key Certificate: vim testssl-cert.pem > copy and paste it here
Certificate Chain: vim testssl-cert-chain.pem > copy and paste it here
















Now You have certificate on your ELB, go to browser and check

No comments:

Post a Comment