Amazon Elastic Load Balancer (ELB) allows SSL termination. This means the traffic between the client and you is secure and encrypted while your servers are still serving non-SSL traffic up to the Load Balancer.
This frees up the load on your servers while keeping the connection secure. The AWS control panel has improved a lot since this feature was introduced to AWS but adding an SSL certificate you just got from your Certificate Authority (CA) is still a tiny amount of work.
Here is how to do it:
- Prepare a CSR.
- Buy the certificate
- Remove passphrase from your private key
- Upload it to your ELB
Prepare a CSR
A CSR is needed by a CA to issue the certificate. You can generate one like this:
openssl genrsa -des3 -out wild_mydomain_com.key 2048
We are going to generate a wildcard SSL certificate which works with any subdomain on our site, like www.mydomain.com and mail.mydomain.com.
Here you will need to enter a passphrase. Remember it!
To generate a wildcard certificate, use *.mydomain.com as your common name. Don't use email or optional organisation name.
Buy the certificate
This is the part where you upload the generated file (wild_mydomain_com.key) to your favourite CA (we use RapidSSL) and wait!
Remove the passphrase from the private key
ELB doesnt support passphrase protected keys so you need to remove the passphrase:
openssl rsa -in wild_mydomain_com.key -out wild_mydomain_com.nopass.key
Enter the private key passphrase when asked.
Upload the certificate into AWS
You can do this either using the AWS control panel or the following command lines (requires AWS command line tools installed)
iam-servercertupload -b wild_mydomain_com.crt -k wild_mydomain_com.nopass.key -s wild_mydomain_com
Note: Some Certificate Authorities (like RapidSSL) are not root CAs by some browsers. The root CA in this case is GeoTrust for example. This means you’d have to also upload the intermediate certificate as well. For this use the -c parameter.
You can now associate this certificate to your ELB using the AWS control panel for ELB (HTTPS protocol settings).
To check the health of the uploaded certificate, you can do this:
iam-servercertgetattributes -s wild_mydomain_com
Happy load balancing!