AMAZON - Create SSL Certificate for a Load Balancer
This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics
Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.
Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:
specify your own file name. In the example, 2048 represents 2048-bit encryption.
AWS also supports 1024-bit and 4096-bit encryption. We recommend you create an RSA
key that is 2048 bits.
Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:
The following table can help you create your certificate request.
Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.
Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.
This section describes the process of generating a server certificate and preparing it to use with AWS products through IAM. To create a certificate, you perform a series of tasks as described by the following topics. Note: If you want to create user signing certificate that you can use to sign SOAP requests in EC2, see Creating and Uploading a User Signing Certificate Topics
- Install and Configure OpenSSL
- Create a Private Key
- Create a Certificate Signing Request
- Submit the CSR to a Certificate Authority
Install and Configure OpenSSL
Creating and uploading a certificate requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key. If you don't already have OpenSSL installed, follow the instructions in this section.
- To install OpenSSL on Windows
- Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
- Click OpenSSL for Windows.
- A new page displays with links to the Windows downloads.
- If it is not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
- After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
- Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
- Before you use OpenSSL commands, you must configure the operating system so that it has information about the location of the OpenSSL install point.
- To configure OpenSSL on Windows
- Open a Command Prompt window.
- Set the OpenSSL_HOME variable to the location of the OpenSSL installation:set Path=OpenSSL_HOME\bin;%Path%
- Set the path to the OpenSSL installation:set Path=OpenSSL_HOME\bin;%Path%
Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR).
At the command line, use the openssl genrsa command and the following syntax:
openssl genrsa 2048 > private-key.pem For private-key.pem
Create a Certificate Signing Request
The next step is to create a Certificate Signing Request (CSR). This is a file that you can send to a certificate authority (CA) to apply for a server certificate.
• Use the openssl req command to create a CSR and the following syntax:
openssl req -new -key private-key.pem -out csr.pem
The output will look similar to the following example:
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value.
If you enter '.', the field will be left blank.
The following table can help you create your certificate request.
Name | Description | Example |
Country Name | The two-letter ISO abbreviation for your country. | US = United States |
State or Province | The name of the state or province where your organization is located. This name cannot be abbreviated. | Washington |
Locality Name | The name of the city where your organization is located. | Seattle |
Organization Name | The full legal name of your organization. Do not abbreviate your organization name. | Example Corp. |
Organizational Unit | Optional, for additional organization information. | Marketing |
Common Name | The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. | www.yourdomain.com |
Email address | The server administrator's email address | someone@yourdomain.com |
Note:The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name.
Submit the CSR to a Certificate Authority
Your CSR contains information identifying you. To apply for a server certificate, send your CSR to a certificate authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.