Showing posts with label SSL Certificate for ELB. Show all posts
Showing posts with label SSL Certificate for ELB. Show all posts

Tuesday, August 13, 2013

AMAZON - Create SSL Certificate for a Load Balancer

AMAZON - Create SSL Certificate for a Load Balancer
This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics
  • Install and Configure OpenSSL
  • Create a Private Key
  • Create a Certificate Signing Request
  • Submit the CSR to a Certificate Authority

Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.
  • To install OpenSSL on Windows
    1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
    2. Click OpenSSL for Windows.
  • A new page displays with links to the Windows downloads.
    1. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
    2. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
    3. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
  • Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
  • To configure OpenSSL on Windows
    1. Open a Command Prompt window.
    2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
    3. Set the path to the OpenSSL installation:
      set Path=OpenSSL_HOME\bin;%Path%
Note: Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command-line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depend on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:
openssl genrsa 2048 > private-key.pem For private-key.pem
specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:
openssl req -new -key private-key.pem -out csr.pem
The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.

The following table can help you create your certificate request.
Name Description Example
Country Name The two-letter ISO abbreviation for your country. US = United States
State or Province The name of the state or province where your organization is located. This name cannot be abbreviated. Washington
Locality Name The name of the city where your organization is located. Seattle
Organization Name The full legal name of your organization. Do not abbreviate your organization name. Example Corp.
Organizational Unit Optional, for additional organization information. Marketing
Common Name The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. www.yourdomain.com
Email address The server administrator's email address someone@yourdomain.com

Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.