How to install godaddy ssl certificate on AWS ELB?

Question

I've purchased an SSL certificate from GoDaddy. I've created a keystore file, generated a CSR file from it, sent it to GoDaddy, and received these files:

• mydomain.crt
• gd_intermediate.crt
• gd_bundle.crt

Now I am trying to create an Elastic Load Balancer in the AWS console. When asked for certificate details, they ask for:

• Private Key (PEM encoded)
• Public Key Certificate (PEM encoded)
• Certificate Chain (PEM encoded, optional)

How do I convert the files I have to these parameters?

Answer 1

I recently had to go through this process and none of the answers worked for me. Here are the steps that allowed me to upload a new SSL certificate to AWS (for subsequent use in ElasticBeanstalk).

Obtaining Private Key

I had to use two commands for this process:

openssl genrsa -des3 -out server.pass.key 2048
openssl rsa -in server.pass.key -out server.key

The server.key file is your Private Key.

Additionally, you can generate the CSR (Certificate Signing Request) by doing:

openssl req -nodes -new -key server.key -out server.csr

This is the file we'll use to request GoDaddy to issue our new certificate.

Obtaining Public Key

Once the certificate has been issued in GoDaddy download it. This will give you two files which must be bundled into one by doing:

cat yourdomain.crt gd_bundle-g2-g1.crt > combined.crt

The combined.crt would be your Public Key.

Uploading server certificate to AWS

With the server.key and combined.crt file you can now upload the certificate to AWS using AWS CLI. You just have to use the following command:

aws iam upload-server-certificate --server-certificate-name your_certificate_name --certificate-body file://combined.crt --private-key file://server.key

If everything went well, you'll receive a response from the server:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ABCDEFG12345678", 
        "ServerCertificateName": "certificate-name", 
        "Expiration": "2018-08-26T11:59:38Z", 
        "Path": "/", 
        "Arn": "arn:aws:iam::1234123412:server-certificate/certificate-name", 
        "UploadDate": "2017-08-26T19:53:46.989Z"
    }
}

And that’s it, you should have a new SSL certificate available to you in AWS.

Answer 2

You want to convert mydomain.crt to mydomain.pem (the other two files are chain-of-trust files). You can use openssl on any unix or linux system to generate a pem file from a crt.

Since the certificate issuer has the private key, the only reason it should be asking you for one is if it is trying to generate a certificate. If you already have a certificate it should just use it. Check the documentation

Answer 3

If you are using a Windows IIS server:

Private key

• Follow the instructions here to get your private key. Essentially (without the screen shots):
  • Run mmc.exe
  • From the File menu, choose Add/Remove Snap-in.
  • In the new window that appears, click Add.
  • Select Certificates and then click Add.
  • Choose the Computer account option and click Next.
  • Select Local Computer and then click Finish.
  • Click Close, and then click OK. The snap-in for Certificates (Local Computer) appears in the console.
  • Expand the Certificates (Local Computer) tree in the left preview panel.
  • Right-click Personal and select All Tasks > Import. The Certificate Import Wizard appears. Click Next.
  • Browse to the location of your Server Certificate file and click Next.
  • Select Place all certificates in the following store and click Next.
  • Click Finish to complete the Certificate Import Wizard.
  • A dialog box appears indicating the import was successful. Click OK.
• On the tree, expand Personal and the click Certificates. Double click your certificate.
• Click copy to file from the Details tab on the Certificate pop-up and create a .pfx file.
• Go to here to convert it to PEM format.
• Paste in the parts from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- only.
  • Not the lines above -----BEGIN PRIVATE KEY----- and not the lines below -----END PRIVATE KEY-----

Public Key

• Use the .crt file supplied by GoDaddy in the downloaded zip file.

Certificate chain

• Use the gd_bundle-g2-g1.crt supplied by GoDaddy in the downloaded zip file.

Answer 4

For AWS ELB you need three thing as you said

Private Key

The rsa key you Generated on linux with

#openssl genrsa -des3 -out host.key 2048

it will ask for password, give it for now we will remove it later.

Public key

from your private key you first Generate csr file which is Certificate Signing Request(the one you submit to authority in your case godaddy to get public key). you can Generate csr file using

#openssl req -new -key host.key -out host.csr

now you submit your csr file to godaddy and in return they provide you two files(mydomain.crt, gd_bundle.crt). mydomain.crt is your public key.

Certificate Chain

gd_bundle.crt is certification Chain file which godaddy provides you with your public key.your public key and certification chain file don't need any conversion but for the private key file you need to remove its password and convert it into pem with

#openssl rsa -in host.key -out private.pem 

and its all good to go for AWS.put private key.pem file content in aws private key section and put mydomain.crt file content in public key and put gd_bundle.crt content in certification chain Section. Conversion all depends upon from where you are getting your Certificate. if getting certificate from some other company i will recommend you to follow AWS Docs.

http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html

Answer 5

Here is a guide on how to get a Godaddy ssl certificate working on Amazon Elastic Load Balancer (ELB) http://cloudarch.co.uk/2011/10/elastic-load-balancer-ssl-setup-guide-pem-encoded-csr/#.UKFla2nGU_8

Answer 6

Almost two years ago exactly, but I cam across this and it stumped me for a second.

The Certificate body* is the main key in the zip file, mine looks like this f7dsdfsdf2f4e942d.crt and has only one entry.

The middle field Certificate private key* is the ssh private key that signed your csr. It lives on the server that you user to create your csr request. I found the location of mine by looking at the nginx config file and copying to my local drive.

The last field Certificate chain is the the file with 3 entries, mine looks like gd_bundle-g2-g1.crt.