将通配符证书安装到AWS EC2负载均衡器上

Question

I'm having trouble. I followed a guide that I found here

http://www.thenetworkadministrator.net/index.php/2011/12/iis-ssl-certificate-into-amazon-elastic-load-balancer/

And exported by cert and created all those files, but it doesn't tell you which file goes in which field. I tried what I think is all the combinations but it doesn't accept it

I Setup the balancer as follows

Then I try to setup the certificate

Then you can see it tells me it's invalid.

In case it helps I exported from IIS and followed the tutorial on the link provided and the certificate is a DigiCert Wildcard Certificate ie (*.domain.com)

Answer 1

Please read the post: AWS Load Balancer SSL limitations . The following solution worked for me:

openssl rsa -in server.key -text

Then copy and paste the produced output between (including):

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

AWS Load Balancer had accepted this key successfully.

Answer 2

Hmmh, everything looks correct at first sight, but let's double check on a few details.

And exported by cert and created all those files, but it doesn't tell you which file goes in which field.

I can't quite follow, insofar the linked guide clearly states where to put he files:

When prompted for the certificate keys do the following:

• Open the file server.key that was created from above with openssl and paste into the Private Key textbox
• Open the file cert.pem that was created from above with openssl and copy the text from —-BEGIN till the end of the file and paste that into Public Key Certificate textbox

Note: I did not put anything into the certificate chain

The screenshot you provided indicates you have chosen the correct combination in fact, however ...

I tried what I think is all the combinations but it doesn't accept it

... I assume you have deliberately shortened the textarea input widgets for Private Key and Public Key Certificate to decrease image size or hide the actual keys? Otherwise the text to be pasted has mostly gone lost somehow, insofar it should look something like:

-----BEGIN CERTIFICATE-----
MIICeDCCAeGgAwIBAgIGAOABb24uY29tMQwwCgb3DQEBBQUAMFMxCzAJBgNVBAYT
[...]
A WHOLE LOT MORE HEX DIGITS HERE!
[...]
q04lCMxITAfBgNVBAMTAAJW26+adw9C063H7I846ZbxHl6BkcTPsjL3b5JoZhyim
jbzH4dktTFNIkX4o
-----END CERTIFICATE-----

In this regard another cause might be addressed by this answer to Public key and private cert don't match :

Looks like the issue was the way in which I was copying the contents of the key and certs into the AWS Management console. I was using an Ubuntu desktop running in Virtual Box [...] Once I opened the key and cert files on the same box as the web browser (Windows in this case) the certs went through just fine. I'm guessing some parts of the file aren't making it over correctly when using the shared clip board between Virtual Box client and host.

Given the high probability of special characters appearing in the hex dump, this is entirely possible for various similar copy&paste scenarios as well, eg between SSH terminals with erroneous character encoding settings etc.

Answer 3

Simplest/most concise explanation that I have come across for creating a self-signed cert for AWS ELBs is...

openssl genrsa -out server_privatekey.pem 1024
openssl req -new -key server_privatekey.pem -out server_certificate_csr.pem
openssl x509 -req -days 3650 -in server_certificate_csr.pem -signkey server_privatekey.pem -out server_certificate.pem

And then in AWS;

Certificate Name: mycert

Private key: [content of server_privatekey.pem]

Public key: [content of server_certificate.pem]

Certificate Chain: [content of server_certificate_csr.pem]

Credit: https://forums.aws.amazon.com/message.jspa?messageID=381093