Knowledge Base

Installing a SSL certificate on Amazon Web Services (AWS)

NOTE: This article describes SSL installation process for Load Balancer from Amazon Web Services. If you use EC2 instance without Load Balancer, please refer to the official documentation written for your web server type and Operating System.

The certificate issued by the Certificate Authority should be uploaded to IAM along with the private key and certificate chain (CA Bundle). After uploading, the certificates are available for other AWS services to use.

The tool for certificate uploading is AWS command line interface (CLI).

*note: the Certificate Authority can send you the certificate in a format that is not supported by IAM. The correct format is x.509 PEM. The files with .crt extension are in PEM format, so in order to use them for certificate uploading, you can simply rename the .crt file to .pem file.

Otherwise, the certificate should be converted to the correct format using OpenSSL. The specific command depends on the current format of your certificate.

    You will need three files for uploading:

  • Your certificate in PEM format
  • Private key in PEM format
  • Certificate chain. If you received it as separate files (e.g. COMODORSADomainValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt and AddTrustExternalCARoot.crt), you can either combine them in one file using OpenSSL command or download the Bundle as one file from ZTABOX email.

The OpenSSL command to combine separate certificates into one full CA Bundle is:

cat intermediate1.crt intermediate2.crt root.crt > ssl-bundle.crt

In our example the command will look this way:

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt

You can upload all three files from the command line with one command:

aws iam upload-server-certificate --server-certificate-name certificate_object_name --certificate-body file://certificate --private-key file://privatekey.pem --certificate-chain file://certificate_chain_file

*note: when you specify a file as a parameter (for example, for the certificate-body and private-key parameters), file:// should be included as a part of the file name.

The certificate_object_name parameter is used to assign your own name to the certificate so that you can identify it further.

    When you upload your certificates, IAM validates certificates with the following criteria:

  • Certificates should be in X.509 PEM format.
  • The current date should be between the certificate's issuance and expiration date.
  • The certificate and private key files should contain only a single item meaning one certificate and one key correspondingly.
  • The private key should match the certificate.
  • The private key should be in PEM format the same as the certificate. The text of key in the correct format begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
  • The private key cannot be encrypted with a password.

Once the certificate is uploaded, you can verify the information in the IAM store. Use the following command to verify the certificate:

aws iam get-server-certificate --server-certificate-name certificate_object_name

The output will look like this:

arn:aws:iam::Your_AWS_Account_ID:server-certificate/Your_Certificate_Object_Name Certificate_Object_GUID

Your_AWS_Account_ID is a unique Amazon Resource Name (ARN) and Certificate_Object_GUID is the ID of the certificate.

The response will look this way:

arn:aws:iam::123456789012:server-certificate/certificate_object_name ADGTHexampleLKBASAH

Digits in the first line are the ARN, and the second line is the certificate ID.

If you need to update the certificate for an HTTPS load balancer, you will need to use the ARN of the certificate. The following command is used to set the certificate for the load balancer:

aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::123456789012:server-certificate/certificate_object_name

Parameter my-loadbalancer is the name of your load balancer.

For more details about creating HTTPS load balancer and setting its name, please check the following guide.