I have used these steps for creating, ordering, and installing SSL certificates onto an AWS Elastic Load Balancer instance.
Bookmark the following link so you can get the latest tools from AWS in case the direct links below grow stale:
- Generate CSR using a 2048 bit (minimum) key put link to Blog here that describes steps.
**** NOTE: Use the instructions at the following link to create an environment using OpenSSL
at the following link ( http://slacksite.com/apache/certificate.php )
… so that you will have your key already in .pem format that is expected
by the Amazon ELB toolkit that is used to upload the key and ssl certs via the command line.
- Submit CSR to 3rd party SSL certificate vendor.
- Download the X.509 version of both the server certificate (common name being protected) and the
“Intermediate Roots” bundle.
*** NOTE: If at the time of upload you get the following error:
400 MalformedCertificate Invalid Public Key Certificate.
… a trick to fix this rather ambiguous error is to swap the order of Root CA cert bodies
contained within the Root and Intermediate Root CA bundle file.
- Set up your IAM and ELB Toolkit environment
Download the IAM toolkit here: http://aws.amazon.com/developertools/4143
Follow these instructions to set up the IAM toolkit environment:
**** NOTE: Here is the AWS documentation on how to set up an IAM environment that allows an admin to delegate fine grained controls via IAM:
**** DISCLAIMER: I did not delve too much into the instrux at the above link since I was under a tight deadline and had already obtained credentials with enough power to carry out the task at hand.
( I used an ubuntu VM because I was having issues
with time sychronization between clocks on the instances at AWS and the clock on the machine I was using
as my IAM and ELB toolkit machine (the ubuntu VM). The error message I was getting as I was attempting to upload
the SSL certificate via the ELB command line tool stated the following:
“400 RequestExpired Request timestamp is too skewed.”
And since I could not successfully force the clock to match the UTC sync time on the destination server at Amazon (GMT-0) using the VM that I originally started to use at HMH wdcdvlw01 – a HyperV VM running CentOS – I was able to modify the clock sync to match on Ubuntu with one simple command as such:
sudo dpkg -reconfigure tzdata
… and then selecting GMT-0 as the locale. )
- Download the ELB toolkit from here:
*** NOTE, if the above link is not available, please go to the bookmark suggestion for AWS Tools at the top of this page.
Set up your environment variables for the AWS ELB Tools (and the IAM tools) to look similar to the env variables I had specified in my .bashrc file:
- I had put each set of tools at the following base path (yours can be anywhere you want):
Here are some links that describe how to set up the ELB environment if you want some official external references for this topic:
- Download your server cert, and its accompanying Root and Intermediate Root CAs from your SSL cert vendor.
Follow steps 4 and 5 on the following link containing instructions for unencrypting the key file and removing the passphrase. I did attempt to upload an encrypted key and the error asked
explicitly that I upload an unencrypted key instead.
OK, now that you have your certs ready and environment variables all set for both toolkits needed for this excercise (IAM and ELB), then the following tasks are what I used as a guide for what I had to do for getting the LB listening on port 443 and for uploading the SSL cert and its key and CA roots.
- Upload SSL Cert, key, and Roots CA bundle
In a nutshell, here is the command I had to run to do this step:
user@ubuntu:~$ iam-servercertupload -b new-ssl.cer -c ssl-revoked.cer -k ssl.key -p <PATH> -s <ELB-Domain-Name> –aws-credential-file account-key -v
And the following two lines are the output from the above command:
Add a listener for port 443 onto the existing LB that only has a listener for port 80:
baltieri@ubuntu:~$ elb-create-lb-listeners ELB-Name –listener “lb-port=443, instance-port=80, protocol=https, cert-id=arn:aws:iam::ACCOUNT:server-certificate/<PATH>/ELB-Domain-Name”
And below is the expected output
OK-Creating LoadBalancer Listener
Here is the link that I used to formulate the above command:
When you look at the page at the above link, you will notice a section that looks like the following:
Since I had an LB already listening on port 80, I omitted the first –listener switch provided in the above example and thus used simply:
**** NOTE1: The command is supposed to be all on one line. Its broken down to multiple lines for legibility.
**** NOTE2: The ARN_VALUE in this case was the entire string as follows from output in step 8a. above: