AMAZON - Create SSL Certificate for a Load Balancer

AMAZON - Create SSL Certificate for a Load Balancer
This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics

• Install and Configure OpenSSL
• Create a Private Key
• Create a Certificate Signing Request
• Submit the CSR to a Certificate Authority

Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.

• To install OpenSSL on Windows
  1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
  2. Click OpenSSL for Windows.
• A new page displays with links to the Windows downloads.
  1. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
  2. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
  3. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
• Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
• To configure OpenSSL on Windows
  1. Open a Command Prompt window.
  2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:
     set Path=OpenSSL_HOME\bin;%Path%
  3. Set the path to the OpenSSL installation:
     set Path=OpenSSL_HOME\bin;%Path%

Note: Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command-line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depend on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:

openssl genrsa 2048 > private-key.pem For private-key.pem

specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:

openssl req -new -key private-key.pem -out csr.pem

The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

Name	Description	Example
Country Name	The two-letter ISO abbreviation for your country.	US = United States
State or Province	The name of the state or province where your organization is located. This name cannot be abbreviated.	Washington
Locality Name	The name of the city where your organization is located.	Seattle
Organization Name	The full legal name of your organization. Do not abbreviate your organization name.	Example Corp.
Organizational Unit	Optional, for additional organization information.	Marketing
Common Name	The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.	www.yourdomain.com
Email address	The server administrator's email address	someone@yourdomain.com

Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.

Steps to Create SSL Certificate for Amazon Elastic Load Balancer and Update SSL Certificate on Elastic Load Balancer

his section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics

• Install and Configure OpenSSL
• Create a Private Key
• Create a Certificate Signing Request
• Submit the CSR to a Certificate Authority
• To update an SSL certificate for an HTTPS load balancer
• Sample server certificate

Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.

• To install OpenSSL on Windows
  1. Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
  2. Click OpenSSL for Windows.
• A new page displays with links to the Windows downloads.
  1. If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
  2. After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
  3. Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
• Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
• To configure OpenSSL on Windows
  1. Open a Command Prompt window.
  2. Set the OpenSSL_HOME variable to the location of the OpenSSL installation:
     set Path=OpenSSL_HOME\bin;%Path%
  3. Set the path to the OpenSSL installation:
     set Path=OpenSSL_HOME\bin;%Path%

Note: Any changes you make to Windows environment variables in a Command Prompt window are valid only for the current command-line session. You can make persistent changes to the environment variables by setting them as system properties. The exact procedures depend on what version of Windows you're using. (For example, in Windows 7, open Control Panel > System and Security > System. Then choose Advanced system settings > Advanced tab > Environment Variables.) For more information, see the Windows documentation.

Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:

openssl genrsa 2048 > private-key.pem For private-key.pem

specify your own file name. In the example, 2048 represents 2048-bit encryption. AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA key that is 2048 bits.

Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:

openssl req -new -key private-key.pem -out csr.pem

The output will look similar to the following example:

You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.

The following table can help you create your certificate request.

Name	Description	Example
Country Name	The two-letter ISO abbreviation for your country.	US = United States
State or Province	The name of the state or province where your organization is located. This name cannot be abbreviated.	Washington
Locality Name	The name of the city where your organization is located.	Seattle
Organization Name	The full legal name of your organization. Do not abbreviate your organization name.	Example Corp.
Organizational Unit	Optional, for additional organization information.	Marketing
Common Name	The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match.	www.yourdomain.com
Email address	The server administrator's email address	someone@yourdomain.com

Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.

Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.


To update an SSL certificate for an HTTPS load balancer

1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. On the Amazon EC2 Getting Started page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.
3. On the Load Balancers page, select your load balancer.
4. The bottom pane displays the details of your load balancer.
   
5. Click the Listeners tab.
6. Click Change in the SSL Certificate column of the certificate you want to update.
7. On the Configure SSL Certificate page, select Choose from your existing SSL Certificates to use previously uploaded SSL certificate and select the certificate from the drop-down box.
8. Or, select Upload a new SSL Certificate if you have a SSL certificate and want to uploaded it.
   Before you upload, ensure that your certificate meets the following citeria:
   • Certificates must follow the X.509 PEM format.
   • The current date must be between the certificate’s start and end date.
   • Public and private certificate files must contain only a single certificate.
   • The private key must match the public key that is in the digital server certificate.
   • The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
   • The private key cannot be encrypted with a password.
   • A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
   If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.
   
   Step through the following instructions to continue uploading your SSL certificate.
   • Enter the name of the certificate to upload.
   • Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.
   • Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.
   • [Optional] Copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.
   Note The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
   
9. Click Save.

Sample Certificates
The following certificates show the valid format that IAM accepts for server certificates and their associated private key and certificate chain.
The server certificate associates your public key with your identity. When you submit your Certificate Signing Request (CSR) to a certificate authority (CA), a server certificate is returned to you by the CA. The following figure is a sample server certificate:
Sample server certificate

-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIQU306HIX4KsioTW1s2A2krTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4
MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
bSBJbmMuMRowGAYDVQQDFBFpYW0uYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA3Xb0EGea2dB8QGEUwLcEpwvGawEkUdLZmGL1rQJZdeeN
3vaF+ZTm8Qw5Adk2Gr/RwYXtpx04xvQXmNm+9YmksHmCZdruCrW1eN/P9wBfqMMZ
X964CjVov3NrF5AuxU8jgtw0yu//C3hWnOuIVGdg76626ggOoJSaj48R2n0MnVcC
AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJT
ZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19
RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBALpFBXeG782QsTtGwEE9zBcVCuKjrsl3dWK1dFiq3OP4y/Bi
ZBYEywBt8zNuYFUE25Ub/zmvmpe7p0G76tmQ8bRp/4qkJoiSesHJvFgJ1mksr3IQ
3gaE1aN2BSUIHxGLn9N4F09hYwwbeEZaCxfgBiLdEIodNwzcvGJ+2LlDWGJOGrNI
NM856xjqhJCPxYzk9buuCl1B4Kzu0CTbexz/iEgYV+DiuTxcfA4uhwMDSe0nynbn
1qiwRk450mCOnqH4ly4P4lXo02t4A/DI1I8ZNct/Qfl69a2Lf6vc9rF7BELT0e5Y
R7CKx7fc5xRaeQdyGj/dJevm9BF/mSdnclS5vas=
-----END CERTIFICATE-----

The private key allows you to decrypt messages that are encrypted with your public key. The following figure is a sample private key: Sample private key

The certificate chain includes all intermediary certificates that lead to the root certificate, as shown in the following example. Intermediaries that are not involved in the trust path must not be included. Sample certificate chain

-----BEGIN CERTIFICATE-----
CA public key certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----