Self-signed SSL Certificate for EC2 Load Balancer

http://www.akadia.com/services/ssh_test_certificate.html

1: Generate private key

openssl genrsa -des3 -out my_domain.key 1024
[Enter and confirm pass phrase]

2: Generate CSR

openssl req -nodes -newkey rsa:2048 -keyout my_domain.key -out my_domain.csr

3: Remove pass phrase from key

Make sure key only readable by root!

cp my_domain.key my_domain.key.org
openssl rsa -in my_domain.key.org -out my_domain.key

4: Generate certificate

openssl x509 -req -days 365 -in my_domain.csr -signkey my_domain.key -out my_domain.crt

5: Get Elastic IP for Load Balancer

…And the rest is kind of based on http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/

6: Create Load Balancer

  • Go to AWS Control Panel -> EC2 Management Console -> Load Balancers
  • Create Instance
  • Set it to HTTPS (left-hand dropdown)
  • Leave it talking to EC2 instances on Port 80
  • Continue…
  • Choose Upload SSL Certificate
  • Display key text in terminal window:

openssl rsa -in my_domain.key -text

  • Copy that (Mac copy from terminal), including “Begin…End” sections; paste into text field in AWS console
  • Do the same with the certificate:

openssl x509 -inform PEM -in my_domain.crt

  • Several layers of saving…

7: Tidy up

  • Assign EC2 instances to ELB
  • Remove any elastic IPs from instances (so users can’t hit them directly)
  • Look at this AWS page – it’ll tell you how to set up a CNAME record in your DNS settings, to alias your domain subdomain to the ELB.
    • ELB doesn’t work with Elastic IPs – that’s because Amazon dynamically distribute the service over any number of machines.
    • So you set up a CNAME alias from sub.domain.com to my-loadbalancername-123456789.eu-west-1.elb.amazonaws.com

Boom shaka-laka.

Advertisements

7 thoughts on “Self-signed SSL Certificate for EC2 Load Balancer

  1. travstoll

    Reblogged this on theStoll.com and commented:
    Good tutorial for getting SSL going on an Amazon Web Services Elastic Load Balancer. Generating a self-signed certificate, saves time and money from having to purchase a certificate with your CSR from a certificate authority. Ideally though, in a production environment you will want to have a valid certificate from a well known authority.

    Reply
  2. rahul

    Thanks! your procedure is pretty straightforward than AWS. AWS doc is pretty unclear. Keep up the good work.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s