Menu
Elastic Load Balancing
Developer Guide

SSL Certificates for Elastic Load Balancing

If you use HTTPS or SSL for your front-end listener, you must deploy an SSL/TLS certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances.

The SSL protocol uses an X.509 certificate (SSL server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of identification issued by a certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.

You can create a certificate using AWS Certificate Manager or a tool that supports the SSL and TLS protocols, such as OpenSSL. You will specify this certificate when you create or update an HTTPS listener for your load balancer.

Creating an SSL Certificate Using AWS Certificate Manager

You can use AWS Certificate Manager (ACM) to request and manage certificates. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. To deploy a certificate on your load balancer, the certificate must be in the same region as the load balancer.

To allow an IAM user to deploy the certificate on your load balancer using the AWS Management Console, you must grant access to the ListCertificates API action. For more information, see Listing Certificates in the AWS Certificate Manager User Guide.

For more information, see Request a Certificate in the AWS Certificate Manager User Guide.

Creating an SSL Certificate Using SSL/TLS Tools

Before you can deploy a certificate on your load balancer, you must create the certificate, get the certificate signed by a CA, and then upload the certificate using the AWS Identity and Access Management (IAM) service, which manages SSL certificates that are not created using AWS Certificate Manager. By default, IAM allows 20 certificates per AWS account. For more information about this limit and how to request an increase, see Limitations on IAM Entities in IAM User Guide.

Prerequisite: Install Certificate Tools

Creating a server certificate requires a tool that supports the SSL and TLS protocols.

Linux

OpenSSL is an open-source tool that provides extensive cryptographic functions. To check whether this tool is already installed, run openssl version. If OpenSSL is not installed, you must install it. For more information, see the documentation for your Linux distribution.

Windows

There are several tools that you can use, such as IIS Manager, SelfSSL, OpenSSL, Windows PowerShell cmdlets. If you don't have one of these tools already, select a tool and install it.

Step 1: Create a Server Certificate

To create an SSL server certificate, you must generate an RSA private key and create a Certificate Signing Request (CSR). Next, either have your certificate signed by a Certificate Authority (CA), or generate a self-signed certificate so that you can test your SSL implementation while waiting for the CA to sign your certificate. Follow the directions for the tool that you are using. In this example, we provide directions for OpenSSL, and pointers to directions for IIS Manager.

To create a server certificate using OpenSSL

  1. Create a private key and save it in a secure place, as there is no way to get your private key if you lose it.

    Private keys are created using standard key algorithms. Choose the algorithm based on the ciphers that you plan to use when negotiating SSL connections from the client to your load balancer.

    RSA-based Ciphers

    Use the following genrsa command. Note that AWS supports RSA keys that are 1024, 2048, and 4096 bits. However, we recommend that you specify 2048 bits.

    openssl genrsa -out my-private-key.pem 2048

    ECDHE-ECDSA-based Ciphers

    Use the following ecparam command:

    openssl ecparam -name prime256v1 -out my-private-key.pem -genkey
  2. Create a CSR using the following req command:

    openssl req -sha256 -new -key my-private-key.pem -out csr.pem

    The command runs interactively, prompting you to enter the following information:

    Country Name

    The two-letter ISO code for your country. For example, US.

    State or Province Name

    The full name of the state or province where your organization is located. Do not use an abbreviation.

    Locality Name

    The name of the city where your organization is located.

    Organization Name

    The full legal name of your organization.

    Organizational Unit Name

    (Optional) Additional information, such as a product name or division.

    Common Name

    The fully-qualified domain name for your CNAME. This name must be an exact match. For example, www.mycompany.com, mycompany.com, or *.mycompany.com.

    Email Address

    The server administrator's email address.

  3. You can either apply to have your certificate signed by a CA, or generate a self-signed certificate to use for testing purposes.

    • To apply for a server certificate, send your CSR to an CA. Your CSR contains information that identifies you. The CA might require other credentials or proof of identity. Upon success, the CA returns a public (identity) certificate and possibly a chain certificate that is digitally signed. AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.

    • To create a self-signed certificate, use the following command:

      openssl x509 -req -days 365 -in csr.pem -signkey my-private-key.pem -out my-certificate.pem

To create a server certificate using IIS Manager

For information about using IIS Manager to create a certificate, see Request an Internet Server Certificate or Create a Self-Signed Server Certificate in the Microsoft TechNet Library.

Step 2: Upload the Certificate

Typically the certificate authority (CA) sends you a public certificate, one or more intermediate certificates, and a root certificate. The intermediate certificates and the root certificate can come bundled in a file or as separate files. The file names may vary depending on the type of SSL certificate you purchase and the certificate authority. Your public certificate is the domain-specific file.

Prerequisites

  • The private key must be created using the algorithm based on the ciphers you plan to use for negotiating SSL connections and must be in PEM format.

    RSA-based Ciphers

    Use the following command to convert a private key generated for RSA based ciphers:

    openssl rsa -in my-private-key -outform PEM

    ECDHE-ECDSA-based Ciphers

    Use the following command to convert a private key generated for ECDHE-ECDSA based ciphers:

    openssl ec -in my-private-key -outform PEM

    Note

    When you specify an ECDHE-ECDSA private key for a certificate that you will upload to IAM, you must delete the lines containing "-----BEGIN EC PARAMETERS-----" and "-----END EC PARAMETERS-----", and the line in between these lines.

  • The private key cannot be encrypted with a password.

  • When you receive your server certificate from the CA, the files might not be in the PEM format that is required by IAM.

    • Use the following command to convert the server certificate you received from the CA:

      openssl x509 -inform PEM -in my-certificate
    • Use the following command to convert your certificate chain:

      openssl x509 -inform PEM -in my-certificate-chain
  • The current date must be between the certificate's start and end dates.

  • The public and private certificate files must contain a single certificate.

  • The private key must match the public key in the certificate.

  • The certificate chain must include all of your CA's intermediary certificates that lead to the root certificate, and can optionally end with your CA's root certificate. Typically, both intermediate and root certificates are provided by the CA in a bundled file with the proper chained order. The order of intermediate certificates should be documented by the CA. Although the root certificate is optional, you can include it so that you can run a full chain of trust verification, such as SSL Checker.

    If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file using the intermediary certificates, as shown in Example RSA Private Key.

Uploading the Server Certificate

After you have your certificate files in PEM format, use the following upload-server-certificate command to upload them:

aws iam upload-server-certificate --server-certificate-name my-server-certificate 
--certificate-body file://my-certificate.pem --private-key file://my-private-key.pem 
--certificate-chain file://my-certificate-chain.pem

Note that if you are uploading a self-signed certificate, you do not need to specify a certificate chain.

When you upload your certificates, IAM validates them. If you get an error, ensure that your files meet the prerequisites and then try uploading them again.

The following are examples of the server certificates, private keys, and certificate chains accepted by IAM.

Example Server Certificate

The server certificate associates your public key with your identity. When you submit your CSR to a certificate authority (CA), the CA returns a server certificate.

-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgIQU306HIX4KsioTW1s2A2krTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSoAYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4
MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
bSBJbmMuMRowGAYDVQQDFBFpYW0uYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA3Xb0EGea2dB8QGEUwLcEpwvGawEkUdLZmGL1rQJZdeeN
3vaF+ZTm8Qw5Adk2Gr/RwYXtpx04xvQXmNm+9YmksHmCZdruCrW1eN/P9wBfqMMZ
X964CjVov3NrF5AuxU8jgtw0yu//C3hWnOuIVGdg76626ggOoJSaj48R2n0MnVcC
AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww
OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJT
ZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19
RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow
WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF
GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI
hvcNAQEFBQADggEBALpFBXeG782QsTtGwEE9zBcVCuKjrsl3dWK1dFiq3OP4y/Bi
ZBYEywBt8zNuYFUE25Ub/zmvmpe7p0G76tmQ8bRp/4qkJoiSesHJvFgJ1mksr3IQ
3gaE1aN2BSUIHxGLn9N4F09hYwwbeEZaCxfgBiLdEIodNwzcvGJ+2LlDWGJOGrNI
NM856xjqhJCPxYzk9buuCl1B4Kzu0CTbexz/iEgYV+DiuTxcfA4uhwMDSe0nynbn
1qiwRk450mCOnqH4ly4P4lXo02t4A/DI1I8ZNct/Qfl69a2Lf6vc9rF7BELT0e5Y
123RVWYBAZW00EXAMPLE456RVWYBAZW00EXAMPLE
-----END CERTIFICATE-----
        

Example RSA Private Key

The private key enables you to decrypt messages that are encrypted with your public key.

-----BEGIN RSA PRIVATE KEY-----
MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w
0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZ
WF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIw
EAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5
jb20wHhcNMTEwNDI1MjA0NTIxWhcNMTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBh
MCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBb
WF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMx
HzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wgZ8wDQYJKoZIhvcNAQE
BBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ21uUSfwfEvySWtC2XADZ4nB+BLYgVI
k60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9TrDHudUZg3qX4waLG5M43q7Wgc/MbQ
ITxOUSQv7c7ugFFDzQGBzZswY6786m86gpEIbb3OhjZnzcvQAaRHhdlQWIMm2nr
AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4nUhVVxYUntneD9+h8Mg9q6q+auN
KyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0FkbFFBjvSfpJIlJ00zbhNYS5f6Guo
EDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTbNYiytVbZPQUQ5Yaxu2jXnimvw
3rrszlaEXAMPLE=
-----END RSA PRIVATE KEY-----

Example Certificate Chain

The certificate chain enables a browser to build a certificate chain to a root certificate that it trusts. As a result, the browser can implicitly trust your certificate.

The certificate chain includes the intermediate certificates and optionally the root certificate, one after the other without any blank lines, as shown in the following example. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Do not include any intermediaries that are not in the chain of trust path.

-----BEGIN CERTIFICATE-----
Intermediate certificate 2
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate certificate 1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Optional: Root certificate
-----END CERTIFICATE-----

Step 3: Verify the Server Certificate

After the server certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and ID.

Use the following get-server-certificate command to verify the certificate object:

aws iam get-server-certificate --server-certificate-name my-server-certificate

The following is an example response. The first line is the ARN of the server certificate and the second line is the ID.

arn:aws:iam::123456789012:server-certificate/my-server-certificate
ASCACexampleKEZUQ4K