Upload the Signed Certificate for Elastic Load Balancing

When you receive your server certificate from the certificate authority (CA), it might be in a format that is not supported by IAM. Typically you receive a public certificate, one or more intermediate certificates and a root certificate. The intermediate certificates and the root certificate can come bundled in a file or as separate files. The file names may vary depending on the type of SSL certificate you purchase and the certificate authority.

To upload your certificate using AWS IAM, you need the following three files:

  1. Private key in PEM format

    The key file you generated for creating Certificate Signing Request (CSR). If the key is not in PEM format, use OpenSSL as in the following example to convert the private key to PEM format:

    openssl rsa -in your-private-key-filename -outform PEM
  2. Public certificate in PEM format

    This is the certificate you receive from the CA. Your public certificate is the domain-specific file. Your public certificate also must be in PEM format. If it is not, use the following OpenSSL command to convert your public certificate to PEM format:

    openssl x509 -inform PEM -in your-public-certificate-filename
  3. Certificate chain in PEM Format

    This file is a concatenation of all the intermediate certificates and the root certificate one after the other. The certificate chain lets an end user's browser build a certificate chain to a root certificate it trusts. As a result, the browser can implicitly trust your certificate.

    If you are uploading a self-signed certificate and it's not important that browsers implicitly accept the certificate, you can skip this step and upload just the public certificate and private key.

    Typically, both intermediate and root certificates are provided by a CA in a bundled file with the proper chained order. If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file.

    To create your own certificate chain file, include the intermediate certificates and optionally, the root certificate, one after the other without any blank lines. If you are including the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Any intermediaries that are not involved in the chain of trust path must not be included.

    Your certificate chain must be in PEM format. If it is not, use the following OpenSSL command to convert your certificate chain to PEM format:

    openssl x509 -inform PEM -in your-certificate-chain-filename

    After you have all your files in the X.509 PEM format, you use the AWS command line interface for IAM to upload it


Popular posts from this blog