Tuesday, February 10, 2015

How to upload the security certificate and terminate SSL at AWS ELB for your website

As most of AWS users are well aware that ELB can be an SSL termination point for the incoming traffic to your website, today I will show step by step how  you can build, upload and save the SSL certificate on an ELB.
There are three parts to doing this:

Step 1: Build

As most of SSL certs of a corporation is handled by a dedicated team which maintains and creates the signed and verified certificate, they usually provide the certs on asking in standard format. They basically provide three things

    • A ".crt" extension file say acme.com.crt
 Sample crt file
-----BEGIN CERTIFICATE-----
jytdlhdxcz77dfd67idfefhend,

iuhfdfjhw8094kmdlksj88d9
.
.
.
kjdskjshkdshdskhsa7rri23l;j
-----END CERTIFICATE-----
    • A ".key" extension file say acme.com.key
Sample key file
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,672767RTE

re87e8eetr7ettewew7
ew68w68ere7e6rewr
.
.
.
yeiurwyireuyrere8987
-----END RSA PRIVATE KEY-----
    • And a password string for it('password')
On the other hand AWS needs these certificates as 'pem' encoded. so first step is to convert these files into format which AWS ELB needs. To do that you need to have openssl installed which on linux machines is installed by default most of the times but on windows you may have to install it.
After installing you have to generate two pem encoded files as ELB needs, one public another private.

To generate public file use the following command(If prompted for password provide the password as mentioned above)
openssl x509 -inform PEM -in acme.com.crt > public.pem
To generate the private file use the following command(If prompted for password provide the password as mentioned above)
openssl rsa -in acme.com.key -text > private.pem

In private.pem file you will have a lengthy certificate chain which is optional in ELB but at the end the file would look something like this.

-----BEGIN RSA PRIVATE KEY-----

yre7tet78etew8euyue
ew68w68ere7e6rewr
.
.
.
,n,xn,xcmnc7v7cyc7nn
-----END RSA PRIVATE KEY-----


The public.pem file will most likely remain same and would most likely look like your .crt file but whatever the result your sample public.pem would looks like this

-----BEGIN CERTIFICATE-----
jytdlhdxcz77dfd67idfefhend,

iuhfdfjhw8094kmdlksj88d9
.
.
.
kjdskjshkdshdskhsa7rri23l;j
-----END CERTIFICATE-----


 Step 2: Upload and Save

On the AWS console navigate to ELB page and click on ELB where you want to apply this certificate. On the bottom pane click on Listener tab(see image) and click on change link(as marked by arrow)


On clicking the change or upload button you would see the a modal where you would copy paste the content of the private.pem and public.pem file we generated (see attached image) In private.pem just copy paste the bottom part starting with -----begin private key-----


 This two step process will terminate your ssl at ELB and will provide enable your website to be secure on https protocol


Sid
http://dailytechscape.com