SSL Certificate For AWS Load Balancer

Question

I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr

openssl genrsa -out mykey-private-key-file.pem 2048 openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem

But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl :

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985

openssl genrsa -des3 -out mykey-private-key-file.pem 2048 openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem

We got our approval response with the x.509 Web Server Certificate and Intermediate CA.

When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:

"Error creating certificate Unable to parse key; the body is encrypted."

I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?

Answer 1

Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).

This process assumes you already know how to request a certificate from your favorite certificate issuer.

You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.

# to generate a certificate request
openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr

# Sumbit the CSR. When the CRT file comes back...
# Open the cert in a text editor...
# create a new file
vi yourDomain.crt

# press 'i' to start insert mode
# paste the contents of the CRT file you received
# prese ESC, then 'wq', then enter. This saves the file and exits VIM

# convert the CRT you just wrote to disk into the PEM format expected by ELB
openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM

# convert the private key to PEM format expected by ELB
openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key

# display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB
cat yourDomain.pem.key
cat yourDomain.pem

Answer 2

Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.

But I did have to to run this step from the geekpete link.

openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key