I've purchased an SSL certificate from GoDaddy. I've created a keystore file, generated a CSR file from it, sent it to GoDaddy, and received these files:
Now I am trying to create an Elastic Load Balancer in the AWS console. When asked for certificate details, they ask for:
How do I convert the files I have to these parameters?
On
Here is a guide on how to get a Godaddy ssl certificate working on Amazon Elastic Load Balancer (ELB) http://cloudarch.co.uk/2011/10/elastic-load-balancer-ssl-setup-guide-pem-encoded-csr/#.UKFla2nGU_8
On
For AWS ELB you need three thing as you said
Private Key
The rsa key you Generated on linux with
#openssl genrsa -des3 -out host.key 2048
it will ask for password, give it for now we will remove it later.
Public key
from your private key you first Generate csr file which is Certificate Signing Request(the one you submit to authority in your case godaddy to get public key). you can Generate csr file using
#openssl req -new -key host.key -out host.csr
now you submit your csr file to godaddy and in return they provide you two files(mydomain.crt, gd_bundle.crt). mydomain.crt is your public key.
Certificate Chain
gd_bundle.crt is certification Chain file which godaddy provides you with your public key.your public key and certification chain file don't need any conversion but for the private key file you need to remove its password and convert it into pem with
#openssl rsa -in host.key -out private.pem
and its all good to go for AWS.put private key.pem file content in aws private key section and put mydomain.crt file content in public key and put gd_bundle.crt content in certification chain Section. Conversion all depends upon from where you are getting your Certificate. if getting certificate from some other company i will recommend you to follow AWS Docs.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html
If you are using a Windows IIS server:
Private key
-----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- only.
-----BEGIN PRIVATE KEY----- and not the lines below -----END PRIVATE KEY-----Public Key
Certificate chain
On
Almost two years ago exactly, but I cam across this and it stumped me for a second.
The Certificate body* is the main key in the zip file, mine looks like this f7dsdfsdf2f4e942d.crt and has only one entry.
The middle field Certificate private key* is the ssh private key that signed your csr. It lives on the server that you user to create your csr request. I found the location of mine by looking at the nginx config file and copying to my local drive.
The last field Certificate chain is the the file with 3 entries, mine looks like gd_bundle-g2-g1.crt.
On
I recently had to go through this process and none of the answers worked for me. Here are the steps that allowed me to upload a new SSL certificate to AWS (for subsequent use in ElasticBeanstalk).
Obtaining Private Key
I had to use two commands for this process:
openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out server.key
The server.key file is your Private Key.
Additionally, you can generate the CSR (Certificate Signing Request) by doing:
openssl req -nodes -new -key server.key -out server.csr
This is the file we'll use to request GoDaddy to issue our new certificate.
Obtaining Public Key
Once the certificate has been issued in GoDaddy download it. This will give you two files which must be bundled into one by doing:
cat yourdomain.crt gd_bundle-g2-g1.crt > combined.crt
The combined.crt would be your Public Key.
Uploading server certificate to AWS
With the server.key and combined.crt file you can now upload the certificate to AWS using AWS CLI. You just have to use the following command:
aws iam upload-server-certificate --server-certificate-name your_certificate_name --certificate-body file://combined.crt --private-key file://server.key
If everything went well, you'll receive a response from the server:
{
"ServerCertificateMetadata": {
"ServerCertificateId": "ABCDEFG12345678",
"ServerCertificateName": "certificate-name",
"Expiration": "2018-08-26T11:59:38Z",
"Path": "/",
"Arn": "arn:aws:iam::1234123412:server-certificate/certificate-name",
"UploadDate": "2017-08-26T19:53:46.989Z"
}
}
And that’s it, you should have a new SSL certificate available to you in AWS.
You want to convert mydomain.crt to mydomain.pem (the other two files are chain-of-trust files). You can use openssl on any unix or linux system to generate a pem file from a crt.
Since the certificate issuer has the private key, the only reason it should be asking you for one is if it is trying to generate a certificate. If you already have a certificate it should just use it. Check the documentation