This article describes how to add/update the SSL certificate for an Amazon Elastic Load Balancer. In order to perform the step described here successfully, you will need the Open SSL Client for Windows – Download
About Amazon Elastic Load Balancer SSL Configuration
The Amazon ELB SSL configuration can be done from the AWS Console. Follow the below steps to get to the configuration page:
1. Select “EC2” service in the AWS Console and select “Load Balancers” from the left panel.
2. You will see the list of your load balancers. Select the one for which you wish to edit the certificate. If you have port 443 configured, you should see it in the details section.
3. Select “Actions” from the top menu and then select “Edit Listeners”.
4. Under the SSL Certificates column select “Change”. You will then see a window as below. Select “Upload a new SSL certificate” radio button. This will show you a popup as below.
Fields for Uploading a new SSL Certificate
Certificate Name
This can be any readable name that you want to give to your SSL Certificate. This should be a unique name among all the SSL certificates that you have uploaded.
Private Key
This is the Private Key associated with the certificate. Thisneeds to be in the PEM format. You will need to export this from the .pfx file you get by exporting the certificate from IIS (See Part I of this series on how to do this). You will also need OpenSSL client installed. Add the path to the /bin folder of the OpenSSL installation (eg. D:\Program Files\GnuWin32\bin) to you system’s PATH environment variable. Instructions on PATH variable modifications can be found here.
Now open a command window and run the following command
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
This will ask for a password. Enter the password with which you exported the .pfx. It will then ask to set a passphrase. Enter any passphrase of your choice. Now, the key.pem will contain a lot of unnecessary passphrase information that AWS won’t accept. In order to get rid of it, run the following command on command prompt.
openssl rsa -in key.pem -out privatekey.pem
Copy the content of the privatekey.pem file (including the file delimiters) into the Private Key box.
Public Key Certificate
This is the Public Key part of your SSL certificate. This also needs to be in PEM format. This is where you will use the .cer file provided by your certificate provider and convert it to PEM format. This can be done by using the OpenSSL utility. Open a Command Window and type in the below command and hit Enter.
openssl x509 -inform DER -outform PEM -in certificate.cer -out certificate.pem
The content of the certificate.pem file are the Public Key Certificate. Copy the content of the certificate.pem file (including the file delimiters) into the Public Key Certificate box.
Certificate Chain
Although it says that this input is optional, it really isn’t. If you don’t enter this, your certificate will get created but you will still get an untrusted certificate error when you try to open your website. The steps to get the value for this are also the trickiest.
Certificate Chain means the chain of all the certificates that lead to your SSL certificate. This chain can be found in the Microsoft Management Console.
Identifying the Chain
Launch the console by typing “mmc” in the Win+R box. Add the Certificates Snap-in by the following method:
1. Select “File->Add/Remove Snap-ins…”
2. Select “Certificates” Snap-in and click “Add>”
3. Select “Computer Account” and click “Next”
4. Select “Local Computer” and click “Finish”
5. Close the Snap-in selection box by clicking “OK”
Now you have the Certificates Snap-in added to MMC.
Click on “Trusted Root Certification Authority->Certificates” and look for the certificate of your certification provider. Double click on the certificate and go to the Details tab and look at the Issuer.
If the Issuer is different from the certification provider, then look for the Issuer’s certificate in the list and again repeat this step till the certificate and issuer show the same name. Keep track of all the certificates you go through. In the below example, COMODO SSL CA and AddTrust External CA Root are the two certificates in the chain for the SSL Certificate.
Exporting the Chain
Now, right-click each of the certificates in the chain and select “All Tasks->Export”.
Click “Next” and then select the format as DER.
Provide the name for the exported files and export each of the certificates.
Converting the Chain to PEM
Let us say that this gives you two certificates Parent1.cer and Parent2.cer, where Parent1 is the issuer of the SSL certificate and Parent2 is the issuer of Parent1. So the hierarchy looks like:
Parent2
Parent1
SSL Certificate
Now convert all the .cer files to PEM format by using the following commands on the command line.
openssl x509 -inform DER -outform PEM -in Parent1.cer -out Parent1.pem
openssl x509 -inform DER -outform PEM -in Parent2.cer -out Parent2.pem
This will give you the individual PEM files for the chain.
Compiling the PEM files
Now you need to compile the PEM files into one. The order of adding the content needs to be from lowest to
highest. For example:
highest. For example:
Content of Parent 2 –
—–BEGIN
CERTIFICATE—–
CERTIFICATE—–
Content1
—–END
CERTIFICATE—–
CERTIFICATE—–
Content of Parent 1 –
—–BEGIN
CERTIFICATE—–
CERTIFICATE—–
Content2
—–END
CERTIFICATE—–
CERTIFICATE—–
Then the resultant combined content should look like:
—–BEGIN
CERTIFICATE—–
CERTIFICATE—–
Content1
—–END
CERTIFICATE—–
CERTIFICATE—–
—–BEGIN
CERTIFICATE—–
CERTIFICATE—–
Content2
—–END
CERTIFICATE—–
CERTIFICATE—–
This content needs to be entered in the Certificate Chain box.
After clicking “Save” the AWS engine will validate the inputs and add the certificate to the Load Balancer.
Singh Spectrum 
Leave a comment