Skip to content

Instantly share code, notes, and snippets.

@marcuswestin

marcuswestin/aws-ssl-termination-digicert.md

Last active August 28, 2018 15:18
Show Gist options
  • Star 24 You must be signed in to star a gist
  • Fork 10 You must be signed in to fork a gist
  • Save marcuswestin/4740945 to your computer and use it in GitHub Desktop.
Save marcuswestin/4740945 to your computer and use it in GitHub Desktop.
Download ZIP
How to set up an AWS SSL terminating Elastic Load Balancer with a Digicert certificate
Raw
aws-ssl-termination-digicert.md

1: Generate CSR

openssl req -new -newkey rsa:2048 -nodes -keyout server-cert.key -out server-cert-sign-req.csr

# Country Name (2 letter code) [AU]:US
# State or Province Name (full name) [Some-State]:California
# Locality Name (eg, city) []:
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Flutterby Labs, Inc.
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:www.dogo.co
# Email Address []:administrator@dogo.co
# 
# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []: <LEAVE THIS BLANK>
# An optional company name []: <LEAVE THIS BLANK>

2: Upload CSR

  • Upload server-cert-sign-req.csr to digicert as type "OTHER"
  • Now wait for Digicert to tell you your cert is ready...

3: Download certificate from Digicert

  • Download certificate from digicert: "Other format" -> "A single .pem file containing all the certs"

4: Create SSL terminating load balancer on AWS

In EC2 console:

  • Create an AWS load balancer in ec2 panel
      1. Make a name and add Load Balancer Protocl HTTPS -> HTTP
      1. Upload the SSL Certificate. (Private key is server-cert.key, Public Key Certificate is <file-containing-all-the-certs>.pem)
      1. Use default config (ELBSample-ELBDefaultNegotiationPolicy)

In Route 53 console:

  • Create an A record type point its Alias Target to the elastic load balancer created.

5: Now have a cup of tea

SSL certificates can be opaque and annoying. Give yourself a pat on the back (even if it's not working yet) and take a break.

When your cert expires: Update with New Certificate

First, Genereate & Upload CSR + Download new cert just like before. Then in aws console:

  • Go to ec2 -> Load Balancers -> Select your current load balancer
  • In details panel at bottom, select "Listeners" tab -> SSL Certificate -> (Change) link
  • Upload the new SSL Certificate (Private key is server-cert.key, Public Key Certificate is <file-containing-all-the-certs>.pem)

Have another cup of tea

Cheers!

@HarishKunche
Copy link

thanks alot

@BalmungSan
Copy link

BalmungSan commented Aug 28, 2018
edited

Hi,

I would like to point that you need the key in PEM format too.
You can do it with the following command.

$ openssl rsa -in server-cert.key -out server-cert-key-pem -outform PEM

PS: Thanks a lot!.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment