Deploying RapidSSL/GeoTrust SSL certificates to an AWS Elastic Load Balancer (ELB)
RapidSSL wildcard certificates are a relatively affordable (compared to most of its competition) wildcard SSL certificates that can be used to deploy HTTPS services using SSL encryption for any subdomains of your domain. If you need to provide several domains over HTTPS, buying separate SSL certificates for each one of them can be quite costly, therefore a cost-effective wildcard certificate provider becomes interesting.
RapidSSL certificates are signed by GeoTrust:
RapidSSL Certificates are X.509 Certificates with SSL Extensions that chain to GeoTrust’s trusted root(s) and that are vetted to a specified level domain and may be used in connection with all next level higher domains that contain the specified vetted level domain.
Source: http://www.geotrust.com/resources/cps/pdfs/RapidSSLCPS-Version1.0.pdf
Getting Started
To obtain an SSL certificate you need to:
- Generate a private key
- Generate and provide a Certificate Signing Request (CSR) file
Generate a Private Key
$ openssl genrsa -out private-key.pem 2048
Generate a CSR
$ openssl req -new -key private-key.pem -out csr.pem
CSR creation is an interactive process. You should respond to questions the script asks, as follows:
- Country Name: Use the two-letter ISO code for the country, for example: US or UK.
- State or Province: Spell out the name in its entirety. For instance, type “New York”, not: “NY”
- Company: Use only latin character of the name. Omit any other characters, including: ampersand.
- Organizational Unit: indicate your wildcard domain, e.g.: *.example.com
- Common Name: indicate your wildcard domain, e.g.: *.example.com
Leave all other fields blank, including the e-mail.
Obtaining Certificate
Once you purchase your certificate and submit the CSR, RapidSSL will e-mail you two keys: Web Server CERTIFICATE
and INTERMEDIATE CA
. Save them in files correspondingly named: cert.pem
and ca.pem
Check the two files to make they are valid and compatible using a handy online tool, such as: http://sslchecker.com/matcher
Option 1: Deploying through the AWS Management Console
In the Listeners section of your AWS ELB configuration, add an HTTPS listener and add a new certificate. In the Upload a new SSL Certificate
form, enter the contents of the cert.pem into Public Key Certificate
field, contents of the private-key.pem into the Private Key
field and the contents of the ca.pem into: the Certificate Chain
field.
Using AWS IAM Tools
Install AWS IAM Tools. On your Mac you can do it using Brew:
$ brew install aws-iam-tools.
Follow the instructions provided by the brew post-install screen to configure IAM tools and set AWS credentials for it.
Uploading a new cert
Once you have the IAM tools working:
$ iam-servercertupload -b cert.pem -k private-key.pem -c ca.pem -s SomeWildcardCert
Replace SomeWildcardCert
with whatever name you want the new cert to appear under in the AWS Admin Console.