Deploying RapidSSL/GeoTrust SSL certificates to an AWS Elastic Load Balancer (ELB)
RapidSSL wildcard certificates are a relatively affordable (compared to most of its competition) wildcard SSL certificates that can be used to deploy HTTPS services using SSL encryption for any subdomains of your domain. If you need to provide several domains over HTTPS, buying separate SSL certificates for each one of them can be quite costly, therefore a cost-effective wildcard certificate provider becomes interesting.
RapidSSL certificates are signed by GeoTrust:
RapidSSL Certificates are X.509 Certificates with SSL Extensions that chain to GeoTrust’s trusted root(s) and that are vetted to a specified level domain and may be used in connection with all next level higher domains that contain the specified vetted level domain.
To obtain an SSL certificate you need to:
- Generate a private key
- Generate and provide a Certificate Signing Request (CSR) file
Generate a Private Key
$ openssl genrsa -out private-key.pem 2048
Generate a CSR
$ openssl req -new -key private-key.pem -out csr.pem
CSR creation is an interactive process. You should respond to questions the script asks, as follows:
- Country Name: Use the two-letter ISO code for the country, for example: US or UK.
- State or Province: Spell out the name in its entirety. For instance, type “New York”, not: “NY”
- Company: Use only latin character of the name. Omit any other characters, including: ampersand.
- Organizational Unit: indicate your wildcard domain, e.g.: *.example.com
- Common Name: indicate your wildcard domain, e.g.: *.example.com
Leave all other fields blank, including the e-mail.
Once you purchase your certificate and submit the CSR, RapidSSL will e-mail you two keys:
Web Server CERTIFICATE and
INTERMEDIATE CA. Save them in files correspondingly named:
Check the two files to make they are valid and compatible using a handy online tool, such as: http://sslchecker.com/matcher
Option 1: Deploying through the AWS Management Console
In the Listeners section of your AWS ELB configuration, add an HTTPS listener and add a new certificate. In the
Upload a new SSL Certificate form, enter the contents of the cert.pem into
Public Key Certificate field, contents of the private-key.pem into the
Private Key field and the contents of the ca.pem into: the
Using AWS IAM Tools
Install AWS IAM Tools. On your Mac you can do it using Brew:
$ brew install aws-iam-tools.
Follow the instructions provided by the brew post-install screen to configure IAM tools and set AWS credentials for it.
Uploading a new cert
Once you have the IAM tools working:
$ iam-servercertupload -b cert.pem -k private-key.pem -c ca.pem -s SomeWildcardCert
SomeWildcardCert with whatever name you want the new cert to appear under in the AWS Admin Console.