SSL Certificates for Elastic Load Balancing
If you use HTTPS or SSL for your front-end listener, you must deploy an SSL/TLS certificate on your load balancer. The load balancer uses the certificate to terminate the connection and then decrypt requests from clients before sending them to the back-end instances.
The SSL protocol uses an X.509 certificate (SSL server certificate) to authenticate both the client and the back-end application. An X.509 certificate is a digital form of identification issued by a certificate authority (CA) and contains identification information, a validity period, a public key, a serial number, and the digital signature of the issuer.
You can create a certificate using AWS Certificate Manager or a tool that supports the SSL and TLS protocols, such as OpenSSL. You will specify this certificate when you create or update an HTTPS listener for your load balancer.
Creating an SSL Certificate Using AWS Certificate Manager
You can use AWS Certificate Manager (ACM) to request and manage certificates. ACM integrates with Elastic Load Balancing so that you can deploy the certificate on your load balancer. To deploy a certificate on your load balancer, the certificate must be in the same region as the load balancer.
To allow an IAM user to deploy the certificate on your load balancer using the AWS Management Console,
you must grant access to the
ListCertificates API action.
For more information, see Listing Certificates
in the AWS Certificate Manager User Guide.
For more information, see Request a Certificate in the AWS Certificate Manager User Guide.
Creating an SSL Certificate Using SSL/TLS Tools
Before you can deploy a certificate on your load balancer, you must create the certificate, get the certificate signed by a CA, and then upload the certificate using the AWS Identity and Access Management (IAM) service, which manages SSL certificates that are not created using AWS Certificate Manager. By default, IAM allows 20 certificates per AWS account. For more information about this limit and how to request an increase, see Limitations on IAM Entities in IAM User Guide.
Prerequisite: Install Certificate Tools
Creating a server certificate requires a tool that supports the SSL and TLS protocols.
OpenSSL is an open-source tool that provides extensive cryptographic functions.
To check whether this tool is already installed, run
If OpenSSL is not installed, you must install it. For more information, see
the documentation for your Linux distribution.
There are several tools that you can use, such as IIS Manager, SelfSSL, OpenSSL, Windows PowerShell cmdlets. If you don't have one of these tools already, select a tool and install it.
Step 1: Create a Server Certificate
To create an SSL server certificate, you must generate an RSA private key and create a Certificate Signing Request (CSR). Next, either have your certificate signed by a Certificate Authority (CA), or generate a self-signed certificate so that you can test your SSL implementation while waiting for the CA to sign your certificate. Follow the directions for the tool that you are using. In this example, we provide directions for OpenSSL, and pointers to directions for IIS Manager.
To create a server certificate using OpenSSL
Create a private key and save it in a secure place, as there is no way to get your private key if you lose it.
Private keys are created using standard key algorithms. Choose the algorithm based on the ciphers that you plan to use when negotiating SSL connections from the client to your load balancer.
Use the following
genrsacommand. Note that AWS supports RSA keys that are 1024, 2048, and 4096 bits. However, we recommend that you specify 2048 bits.
openssl genrsa -out
Use the following
openssl ecparam -name prime256v1 -out
Create a CSR using the following
openssl req -sha256 -new -key
The command runs interactively, prompting you to enter the following information:
- Country Name
The two-letter ISO code for your country. For example,
- State or Province Name
The full name of the state or province where your organization is located. Do not use an abbreviation.
- Locality Name
The name of the city where your organization is located.
- Organization Name
The full legal name of your organization.
- Organizational Unit Name
(Optional) Additional information, such as a product name or division.
- Common Name
The fully-qualified domain name for your CNAME. This name must be an exact match. For example,
- Email Address
The server administrator's email address.
You can either apply to have your certificate signed by a CA, or generate a self-signed certificate to use for testing purposes.
To apply for a server certificate, send your CSR to an CA. Your CSR contains information that identifies you. The CA might require other credentials or proof of identity. Upon success, the CA returns a public (identity) certificate and possibly a chain certificate that is digitally signed. AWS does not recommend a specific CA. For a partial listing of available CAs, see Third-Party Certificate Authorities.
To create a self-signed certificate, use the following command:
openssl x509 -req -days 365 -in
To create a server certificate using IIS Manager
Step 2: Upload the Certificate
Typically the certificate authority (CA) sends you a public certificate, one or more intermediate certificates, and a root certificate. The intermediate certificates and the root certificate can come bundled in a file or as separate files. The file names may vary depending on the type of SSL certificate you purchase and the certificate authority. Your public certificate is the domain-specific file.
The private key must be created using the algorithm based on the ciphers you plan to use for negotiating SSL connections and must be in PEM format.
Use the following command to convert a private key generated for RSA based ciphers:
openssl rsa -in
Use the following command to convert a private key generated for ECDHE-ECDSA based ciphers:
openssl ec -in
When you specify an ECDHE-ECDSA private key for a certificate that you will upload to IAM, you must delete the lines containing "-----BEGIN EC PARAMETERS-----" and "-----END EC PARAMETERS-----", and the line in between these lines.
The private key cannot be encrypted with a password.
When you receive your server certificate from the CA, the files might not be in the PEM format that is required by IAM.
Use the following command to convert the server certificate you received from the CA:
openssl x509 -inform PEM -in
Use the following command to convert your certificate chain:
openssl x509 -inform PEM -in
The current date must be between the certificate's start and end dates.
The public and private certificate files must contain a single certificate.
The private key must match the public key in the certificate.
The certificate chain must include all of your CA's intermediary certificates that lead to the root certificate, and can optionally end with your CA's root certificate. Typically, both intermediate and root certificates are provided by the CA in a bundled file with the proper chained order. The order of intermediate certificates should be documented by the CA. Although the root certificate is optional, you can include it so that you can run a full chain of trust verification, such as SSL Checker.
If a certificate bundle is not available or not available in the required order, you can create your own certificate chain file using the intermediary certificates, as shown in Example RSA Private Key.
Uploading the Server Certificate
After you have your certificate files in PEM format, use the following upload-server-certificate command to upload them:
aws iam upload-server-certificate --server-certificate-name
my-certificate.pem --private-key file://
my-private-key.pem --certificate-chain file://
Note that if you are uploading a self-signed certificate, you do not need to specify a certificate chain.
When you upload your certificates, IAM validates them. If you get an error, ensure that your files meet the prerequisites and then try uploading them again.
The following are examples of the server certificates, private keys, and certificate chains accepted by IAM.
The server certificate associates your public key with your identity. When you submit your CSR to a certificate authority (CA), the CA returns a server certificate.
-----BEGIN CERTIFICATE----- MIIE+TCCA+GgAwIBAgIQU306HIX4KsioTW1s2A2krTANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSoAYykwOTEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMTAxMDA4 MDAwMDAwWhcNMTMxMDA3MjM1OTU5WjBqMQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv bSBJbmMuMRowGAYDVQQDFBFpYW0uYW1hem9uYXdzLmNvbTCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEA3Xb0EGea2dB8QGEUwLcEpwvGawEkUdLZmGL1rQJZdeeN 3vaF+ZTm8Qw5Adk2Gr/RwYXtpx04xvQXmNm+9YmksHmCZdruCrW1eN/P9wBfqMMZ X964CjVov3NrF5AuxU8jgtw0yu//C3hWnOuIVGdg76626ggOoJSaj48R2n0MnVcC AwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEUGA1UdHwQ+MDww OqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzItY3JsLnZlcmlzaWduLmNvbS9TVlJT ZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXAzAqMCgGCCsGAQUF BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBSl7wsRzsBBA6NKZZBIshzgVy19 RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMi1haWEudmVy aXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBuBggrBgEFBQcBDARiMGChXqBcMFow WDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsHiyEF GDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJKoZI hvcNAQEFBQADggEBALpFBXeG782QsTtGwEE9zBcVCuKjrsl3dWK1dFiq3OP4y/Bi ZBYEywBt8zNuYFUE25Ub/zmvmpe7p0G76tmQ8bRp/4qkJoiSesHJvFgJ1mksr3IQ 3gaE1aN2BSUIHxGLn9N4F09hYwwbeEZaCxfgBiLdEIodNwzcvGJ+2LlDWGJOGrNI NM856xjqhJCPxYzk9buuCl1B4Kzu0CTbexz/iEgYV+DiuTxcfA4uhwMDSe0nynbn 1qiwRk450mCOnqH4ly4P4lXo02t4A/DI1I8ZNct/Qfl69a2Lf6vc9rF7BELT0e5Y 123RVWYBAZW00EXAMPLE456RVWYBAZW00EXAMPLE -----END CERTIFICATE-----
The private key enables you to decrypt messages that are encrypted with your public key.
-----BEGIN RSA PRIVATE KEY----- MIICiTCCAfICCQD6m7oRw0uXOjANBgkqhkiG9w 0BAQUFADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZ WF0dGxlMQ8wDQYDVQQKEwZBbWF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIw EAYDVQQDEwlUZXN0Q2lsYWMxHzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5 jb20wHhcNMTEwNDI1MjA0NTIxWhcNMTIwNDI0MjA0NTIxWjCBiDELMAkGA1UEBh MCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMQ8wDQYDVQQKEwZBb WF6b24xFDASBgNVBAsTC0lBTSBDb25zb2xlMRIwEAYDVQQDEwlUZXN0Q2lsYWMx HzAdBgkqhkiG9w0BCQEWEG5vb25lQGFtYXpvbi5jb20wgZ8wDQYJKoZIhvcNAQE BBQADgY0AMIGJAoGBAMaK0dn+a4GmWIWJ21uUSfwfEvySWtC2XADZ4nB+BLYgVI k60CpiwsZ3G93vUEIO3IyNoH/f0wYK8m9TrDHudUZg3qX4waLG5M43q7Wgc/MbQ ITxOUSQv7c7ugFFDzQGBzZswY6786m86gpEIbb3OhjZnzcvQAaRHhdlQWIMm2nr AgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAtCu4nUhVVxYUntneD9+h8Mg9q6q+auN KyExzyLwaxlAoo7TJHidbtS4J5iNmZgXL0FkbFFBjvSfpJIlJ00zbhNYS5f6Guo EDmFJl0ZxBHjJnyp378OD8uTs7fLvjx79LjSTbNYiytVbZPQUQ5Yaxu2jXnimvw 3rrszlaEXAMPLE= -----END RSA PRIVATE KEY-----
The certificate chain enables a browser to build a certificate chain to a root certificate that it trusts. As a result, the browser can implicitly trust your certificate.
The certificate chain includes the intermediate certificates and optionally the root certificate, one after the other without any blank lines, as shown in the following example. If you include the root certificate, your certificate chain must start with intermediate certificates and end with the root certificate. Use the intermediate certificates that were provided by your CA. Do not include any intermediaries that are not in the chain of trust path.
Intermediate certificate 2-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Intermediate certificate 1-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
Optional: Root certificate-----END CERTIFICATE-----
Step 3: Verify the Server Certificate
After the server certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and ID.
Use the following get-server-certificate command to verify the certificate object:
aws iam get-server-certificate --server-certificate-name
The following is an example response. The first line is the ARN of the server certificate and the second line is the ID.