Registering SSL Certificate with Amazon Elastic Load Balancer

Amazon Elastic Load Balancer (ELB) allows SSL termination. This means the traffic between the client and you is secure and encrypted while your servers are still serving non-SSL traffic up to the Load Balancer.

This frees up the load on your servers while keeping the connection secure. The AWS control panel has improved a lot since this feature was introduced to AWS but adding an SSL certificate you just got from your Certificate Authority (CA) is still a tiny amount of work.

Here is how to do it:

  1. Prepare a CSR.
  2. Buy the certificate
  3. Remove passphrase from your private key
  4. Upload it to your ELB

Prepare a CSR

A CSR is needed by a CA to issue the certificate. You can generate one like this:

openssl genrsa -des3 -out wild_mydomain_com.key 2048

We are going to generate a wildcard SSL certificate which works with any subdomain on our site, like www.mydomain.com and mail.mydomain.com.

Here you will need to enter a passphrase. Remember it!

To generate a wildcard certificate, use *.mydomain.com as your common name. Don't use email or optional organisation name.

Buy the certificate

This is the part where you upload the generated file (wild_mydomain_com.key) to your favourite CA (we use RapidSSL) and wait!

Remove the passphrase from the private key

ELB doesnt support passphrase protected keys so you need to remove the passphrase:

openssl rsa -in wild_mydomain_com.key -out wild_mydomain_com.nopass.key

Enter the private key passphrase when asked.

Upload the certificate into AWS

You can do this either using the AWS control panel or the following command lines (requires AWS command line tools installed)

iam-servercertupload -b wild_mydomain_com.crt -k wild_mydomain_com.nopass.key -s wild_mydomain_com

Note: Some Certificate Authorities (like RapidSSL) are not root CAs by some browsers. The root CA in this case is GeoTrust for example. This means you’d have to also upload the intermediate certificate as well. For this use the -c parameter.

You can now associate this certificate to your ELB using the AWS control panel for ELB (HTTPS protocol settings).

To check the health of the uploaded certificate, you can do this:

iam-servercertgetattributes -s wild_mydomain_com

Happy load balancing!

Khash Sajadi

Khash is the founder and CEO of Cloud 66, a full stack container management as a service. Follow him on @khash

London, San Francisco
Subscribe and get updates

Have feedback? Please get in touch @cloud66 on Twitter.

Everything you need to build, manage and maintain containers in production on your own servers and any cloud

Try Cloud 66 — 14 Days Free Trial, No credit card required