Amazon ELB – How to Install a Thawte SSL Certificate

amazon ec2amazon-elbssl

Here's my situation. We've generated an SSL certificate from Thawte for a site we're hosting on EC2. We have our servers load balanced using Elastic Load Balancer.

Thawte gives us one PKCS signed certificate. When I go to the Amazon console to generate a new load balancer so that I can attach the certificate it requires 4 fields:

Certificate Name
Private Key
Public Key
Certificate Chain

Where I'm getting confused is that we only have the 1 certificate, yet the private & public keys are expected to be different.

What's the process to complete this?

Best Answer

Certificate name is your choice - it is just to identify the certificate later
Private Key is the key (PEM, base-64) you generated when you created your CSR - you will copy and paste the entire file into the field, from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- (inclusive).
Public Key is the PEM encoded, based 64 verion of what obtained from Thawte (X.509). Copy the contents of the X.509 into a text editor (e.g. vi), save it with a .cer extension. Use OpenSSL to display it in the needed format:
```
openssl x509 -inform DER -in yourfilefromthawte.cer
```
Copy and paste the output from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (inclusive) into the field.
Certificate Chain is the Thawte CA bundle that you can download from their site. For Thawte's SSL Web Server and Wildcard certificates (may be different if you have a different certificate type), their CA bundle is available from their site. (Download the 'Bundled CA version', it is already in PEM format, copy and paste the entire file (both certificates) into the field)

Check out this AWS thread for more information (although that is Verizon specific, the basic ideas apply).

Related Solutions

AWS – How to Install Intermediate Certificates

concatenate the files provided manually, in the following order:

site.com.crt
intermediate.crt (one or more, the order of these doesn't matter)
ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

Ssl – Install SSL on Amazon Elastic Load Balancer with GoDaddy Wildcard Certificate

The private key is mydomain.key which you generated along with the CSR.

What GoDaddy has sent you is the public key (the certificate file mydomain.com.crt, as signed by GoDaddy), as well as the intermediate certificate chain for GoDaddy that complete the chain of trust between your certificate and what an end-user's browser knows about (the gd_bundle.crt file).

I'm not specifically familiar with ELB, but looking at this documentation page:

http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/US_UpdatingLoadBalancerSSL.html

You will supply your mydomain.key file for the private key, the mydomain.com.crt file for the public key, and the gd_bundle.crt file for the certificate chain.

Best Answer

Related Solutions

AWS – How to Install Intermediate Certificates

Ssl – Install SSL on Amazon Elastic Load Balancer with GoDaddy Wildcard Certificate

Related Topic