Deploying RapidSSL/GeoTrust SSL certificates to an AWS Elastic Load Balancer (ELB)

RapidSSL wildcard certificates are a relatively affordable (compared to most of its competition) wildcard SSL certificates that can be used to deploy HTTPS services using SSL encryption for any subdomains of your domain. If you need to provide several domains over HTTPS, buying separate SSL certificates for each one of them can be quite costly, therefore a cost-effective wildcard certificate provider becomes interesting.

RapidSSL certificates are signed by GeoTrust:

RapidSSL Certificates are X.509 Certificates with SSL Extensions that chain to GeoTrust’s trusted root(s) and that are vetted to a specified level domain and may be used in connection with all next level higher domains that contain the specified vetted level domain.

Source: http://www.geotrust.com/resources/cps/pdfs/RapidSSLCPS-Version1.0.pdf

Getting Started

To obtain an SSL certificate you need to:

Generate a private key
Generate and provide a Certificate Signing Request (CSR) file

Generate a Private Key

$ openssl genrsa -out private-key.pem 2048

Generate a CSR

$ openssl req -new -key private-key.pem -out csr.pem

CSR creation is an interactive process. You should respond to questions the script asks, as follows:

Country Name: Use the two-letter ISO code for the country, for example: US or UK.
State or Province: Spell out the name in its entirety. For instance, type “New York”, not: “NY”
Company: Use only latin character of the name. Omit any other characters, including: ampersand.
Organizational Unit: indicate your wildcard domain, e.g.: *.example.com
Common Name: indicate your wildcard domain, e.g.: *.example.com

Leave all other fields blank, including the e-mail.

Obtaining Certificate

Once you purchase your certificate and submit the CSR, RapidSSL will e-mail you two keys: Web Server CERTIFICATE and INTERMEDIATE CA. Save them in files correspondingly named: cert.pem and ca.pem

Check the two files to make they are valid and compatible using a handy online tool, such as: http://sslchecker.com/matcher

Option 1: Deploying through the AWS Management Console

In the Listeners section of your AWS ELB configuration, add an HTTPS listener and add a new certificate. In the Upload a new SSL Certificate form, enter the contents of the cert.pem into Public Key Certificate field, contents of the private-key.pem into the Private Key field and the contents of the ca.pem into: the Certificate Chainfield.

Using AWS IAM Tools

Install AWS IAM Tools. On your Mac you can do it using Brew:

$ brew install aws-iam-tools.

Follow the instructions provided by the brew post-install screen to configure IAM tools and set AWS credentials for it.

Uploading a new cert

Once you have the IAM tools working:

$ iam-servercertupload -b cert.pem -k private-key.pem -c ca.pem -s SomeWildcardCert

Replace SomeWildcardCert with whatever name you want the new cert to appear under in the AWS Admin Console.