Ssl – Wildcard SSL Certificate on Multiple ELBs in VPC

amazon-elbamazon-vpchttpssslssl-certificate

I am very new to installation of certificates and AWS itself altogether. Now, in my current infrastructure I have 3 ELBs that are in a VPC.

I have purchased a wildcard ssl certificate from COMODO through Big Rock.

What I want is that all the communication between my ELBs and the external world should be over HTTPS.

  1. How can I achieve this ?
  2. Can I install the one wild card certificate that I have on all the
    three ELBs ?
  3. Is there a better way of doing it ?
  4. Also since it is a wild card certificate that I have, I would not be
    able to use it for api.example.com but not for example.com itself
    (as per my understanding). However, what is visible to the external
    world is example.com for now (and not really api.example.com) So do
    I need to purchase another certificate for the above scenario ?
  5. Which type of certificate (I read about UCC SSL Certs
    here    )should I go with, given that I also have example.in as a
    domain as well where the same site is hosted.

Please pardon my ignorance on the matter.

Best Answer

What I want is that all the communication between my ELBs and the external world should be over HTTPS. How can I achieve this ?

Completely disabling plain HTTP is usually not on option, but can configure your webservers to (permanently) redirect any unencrypted request from http://... to https://...

Can I install the one wild card certificate that I have on all the three ELBs?

There is no technical reason why you couldn't.

Also since it is a wild card certificate that I have, I would not be able to use it for api.example.com but not for example.com itself (as per my understanding).
However, what is visible to the external world is example.com for now (and not really api.example.com) So do I need to purchase another certificate for the above scenario ?

Yes a wild-card for *.example.com is only valid for <valid_hostnames>.example.com and neither for plain/naked example.com nor *.*.example.com will work. See this Q&A for the details.

Technically it's possible to also include the plain domain with the wildcard certificate via a Subject Alternative Name extension, making the certificate valid for both *.example.com and example.com but which SSL resellers do that automatically I don't know. So you may not need another (replacement) certificate at all.

You can check with openssl x509 -in certificate.crt -text -noout which will yield something similar to when SubjectAltNames are present:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
           ....
        Subject: ..., CN=*.example.com
           ...
        X509v3 extensions:
           ...
           X509v3 Subject Alternative Name:
                DNS:*.example.com, DNS:example.com

If that is not the case you may need another certificate to be able to use the bare domain in addition to your current wildcard. Server Name Indication (SNI) is what would be required to use two different SSL certificates and have them to work correctly on a single ELB instance.

ELB supports multiple TLS certificates using SNI -
ALB supports mutiple TLS certs using SNI
NLB now supports multiple TLS certs using SNI

Related Topic