How to rotate an SSL Certificate as requested by AWS

amazon-elbheartbleedopensslssl-certificate

Amazon AWS sent an email today that users using Elasic Load Balancing (ELB) service with SSL certificates should "Rotate" them for precaution (Heartbleed bug).

How exactly do I rotate an ssl certificate?

AWS Original Message:
"The OpenSSL project has recently announced a security vulnerability in OpenSSL (which is used within ELB) affecting versions 1.0.1 and 1.0.2 (CVE-2014-0160). While we've mitigated the impact of this issue for the Elastic Load Balancing service, we are writing to you because you have used a custom SSL certificate with one or more of your load balancers. As a precaution, it is our recommendation that you rotate your SSL certificates as soon as possible."

Thanks a lot for the help.

Banzinho

Best Answer

I think you should check your OpenSSL version, then update it and finally generate a new SSL certificate.

Take a look at this website, you could find useful pieces of information : http://heartbleed.com/

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

In order to download the certificate, you need to use the client built into openssl like so:

echo -n | openssl s_client -connect $HOST:$PORTNUMBER -servername $SERVERNAME \
    | openssl x509 > /tmp/$SERVERNAME.cert

That will save the certificate to /tmp/$SERVERNAME.cert.

The -servername is used to select the correct certificate when multiple are presented, in the case of SNI.

You can use -showcerts if you want to download all the certificates in the chain. But if you just want to download the server certificate, there is no need to specify -showcerts. The x509 at the end will strip out the intermediate certs, you will need to use sed -n '/-----BEGIN/,/-----END/p' instead of the x509 at the end.

echo -n gives a response to the server, so that the connection is released

openssl x509 removes information about the certificate chain and connection details. This is the preferred format to import the certificate into other keystores.

Ssl – Setting Up ELB with SSL – What is Backend Authentication

The previous answer is not 100% accurate.

What back-end authentication ACTUALLY does is ensure that the public-key your backend server reports (when ELB is talking to your server over HTTPS/SSL) matches a public key you provide. This would prevent somebody from attaching a malicious server to your ELB, or mitigate somebody hijacking the traffic between ELB and your servers.

Back-end authentication does NOT take into account whether or not the client (a browser for example) is communicating to your ELB over HTTPS/SSL. You can have an ELB communicate to a client over HTTP, while communicating to your backend servers over HTTPS/SSL with backend communication. This would only ensure the communication between ELB and your server is secure, NOT if the clients connection is secure.

In summary

As long as your ELB is communicating to your backend instance over HTTPS, that traffic is encrypted, although it may be hijacked. Back-end authentication helps prevent that traffic from being hijacked.

Why would you not use back-end authentication?

Performance. With back-end authentication enabled, we've seen around a 50-70ms increase in response time when communicating through ELB (with all other HTTPS is enabled).

Best Answer

Related Solutions

SSL Certificate – How to Download SSL Certificate from a Website

Ssl – Setting Up ELB with SSL – What is Backend Authentication

Related Topic