I'm totally lost so I apologize if I'm not making sense.
I need to create a load balancer in EC2 for our application servers. I'm trying make the ELB balance traffic over SSL (8443). However, it's asking me for an SSL Certificate. It looks to be asking me for a public and private key (pem encoded).
The servers behind the ELB have a keystore file, which our developers created using Oracle Java's keytool program. The file created is binary. It looks like the ELB is expecting a text, pem formatted key.
- Why does the ELB require me to enter a certificate? Can't the ELB just forward SSL traffic from one side to the other and let the servers handle SSL ?
- Are certificates/keystore file related and the keys must match on both the ELB and servers? The AWS documents said to create a private key and certificate using openssl. Can I just independently run openssl to create a SSL certificate for the load balancer and leave the keystore file on the servers alone?
Thanks in advance for your help.
Best Answer
The advantage of doing SSL termination on your load balancer is that you relieve your back-end nodes of having to perform SSL encryption/decryption.
As such, just deploy your SSL private key and signed cert to the ELB. That will take care of SSL termination, and can then proxy traffic unencrypted to your back-end instances. If you want traffic between the ELB and your back-end instances to be encrypted, that's fine, but you will still need the ELB to have your private key and signed cert.
In regards to getting your certificates and keys out of the java keystore, that's certainly possible. This Q&A over on Stackoverflow has the details.