Home / server / Questions / 255608
In Process
onassar
Asked: 2011-04-05 11:27:49 +0800 CST

SSL/HTTPS within an Amazon ELB workflow

  • 772

So I've got a few EC2 instances acting as nodes on an ELB, and want to setup a wildcard certificate. Anyone have any good directions/links I can look into? I'm a little confused about the CSR file generation.

load-balancing amazon-ec2 ssl

3 Answers

  1. NOTE: Had this as comment before:

    You will likely want to have the ELB pass the encrypted traffic to your EC2 instances where they can decrypt the traffic. GoDaddy has a good set of link's on how to set this up for various systems. Note, you do not have to use them for the SSL cert, but obviously the tutorial is centered on their service.

    http://help.godaddy.com/topic/236/article/5537?locale=en

    If you want a more technical explanation of what each file is, here are some links:

    Wikipedia (technical): http://en.wikipedia.org/wiki/Transport_Layer_Security

    Practical Example (Linux + Apache): http://www.akadia.com/services/ssh_test_certificate.html

    • 1

  2. You can generate the CSR with any web server you like and the process it through GoDaddy for your wildcard. Once you have it, export a PFX and use OpenSSL to extract the parts of the cert required for EC2 ELB.

    http://sycure.wordpress.com/2008/05/15/tips-using-openssl-to-extract-private-key-pem-file-from-pfx-personal-information-exchange/

    You will need the private, public certs.

    Wildcard certs are no problem, I use several myself. They're obviously helpful if you plan on securing more than one URL under the same domain name.

    Keep in mind, once you build the ELB instance, you can't change anything outside of the health checks.

    Here is their doc on the matter too: http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?InstallCert.html

    • 1

  3. Here is what I did - For those who want to know the exact steps..

    1) Generate your key. Nothing special here just make sure that your Common Name matches

    openssl req -new -newkey rsa:2048 -nodes -keyout pivotal_combined_private.key -out pivotal_combined.csr

    2) Get yourself a multi-domain cert 3) Convert the private key to an RSA Format

    openssl rsa -in pivotal_combined_private.key -out pivotal_combined_private.rsa

    4) Wait for the cert to come back...

    5) Download and convert the certs to PEM format

    openssl x509 -in pivotalenergysolutions.com.crt -out  input.der -outform DER
openssl x509 -in input.der -inform DER -out pivotalenergysolutions.com.pem -outform PEM
openssl x509 -in gd_bundle.crt -out  input.der -outform DER
openssl x509 -in input.der -inform DER -out gd_bundle.pem -outform PEM

    6) Upload the whole thing..

    iam-servercertupload -b pivotalenergysolutions.com.pem -c gd_bundle.pem -k pivotal_combined_private.rsa -s pivotalenergysolutions_combined

    Hope that helps

    • 1