Setting up SSL on an AWS Elastic Load Balancer
Here's how to get an SSL certificate (from DigiCert) and install it on your AWS ELB.
Step 1: Create the CSR
SSL is a form of PKI (public key infrastructure) encryption. It requires a key pair, which is usually generated by the user. Ideally the private key can be kept private, never moved from the computer on which it was generated. This isn't the case for ELBs though. The following steps need to be performed on a machine that has OpenSSL installed. Most web servers have it.
- Go to the DigiCert OpenSSL CSR Wizard.
- Fill out the fields. Everything is self-explanatory, but CN (common name) should be the site's domain name.
- Press Generate then copy the resulting text.
- In a terminal/command prompt, paste the generated command from the previous step, e.g.:
$ openssl req -new -newkey rsa:2048 -nodes -out arun_nz.csr -keyout arun_nz.key -subj "/C=GB/ST=London/L=London/O=Arun Stephens/CN=arun.nz"
- Two files will be created. In this case,
arun_nz.key. Keep the
.keyfile safe. Use the
.csrfile in the next step.
Step 2: Apply for the certificate
- Log into your DigiCert account
- Go to the order page.
- Choose the type of certificate (SSL Plus is a standard certificate, suitable for most uses) and duration of certificate validity.
- Enter the common name (CN) for the certificate. This will be the site's domain name.
- Check the I would like to provide my CSR and auto-fill names now box. Choose OTHER for server software, then paste in or upload the contents of the
.csrfile generated in Step 1, above.
- Press Continue.
- Verify/amend all the details, then press Continue.
- Enter your payment details.
Step 3: Wait for/assist in verification
DigiCert will now verify that you have control of the domain in order to issue the certificate. They do this by emailing the registered email addresses for the domain, as well as
admin@<domain>. If you can't access those email addresses, you can contact DigiCert to manually verify your control by either adding a DNS record or adding a file to the web server, in both cases with your email address. They will then use that email address to continue with the verification process.
Once verified, your certificate will be emailed to you.
Step 4: Create an ELB and add the certificate to it
Once you have your certificate, you need to add it to a new ELB.
- Log into the AWS Console.
- Go to EC2. Make sure you are in the correct region.
- Click on Load Balancers in the side bar (or under Resources in the main part of the window.
- Click Create Load Balancer.
- Give it a name, make sure it is in the correct VPC (usually a public one for a web site).
- Keep the default HTTP listener, and also create a HTTPS (Secure HTTP) listener.
These should both point to port 80, as SSL is not (and does not need to be) set up on the individual servers.
- If you have multiple subnets in different availability zones, Select the subnets that the load balancer should be in. For a public web site, choose the public subnets only.
- Click Assign Security Groups.
- Choose or create a security group that this load balancer should be part of. It should at least allow public access to ports 80 and 443.
- Click Configure Security Settings.
- Give the certificate a name. Names must be unique. When you renew the certificate once this one expires, you can't use this name again, so consider adding a date or year to the name to make it unique.
- Paste in the private key. This is the
.keyfile you created in step 1, above.
- Paste in the public key certificate. This is the
<domain>.crtfile from the zip that DigiCert emailed you.
- Paste in the certificate chain. This is the
DigiCertCA.crtfile from the zip that DigiCert emailed you.
- Click Configure Health Check.
- Choose your health check settings. The ELB will check the web servers periodically using these settings. By default it will check for a particular URL. The default is /index.html. Make sure the file exists on the server(s).
- Click Add EC2 Instances.
- Choose the web server(s) that should be attached to the load balancer.
- Click Add Tags, then add any tags to the load balancer.
- Click Review and Create.
- Review everything, then click Create.
The load balancer is now created.
If you're not using Amazon Route 53 for DNS, you will need to create a CNAME record to the load balancer's domain name, which is available as the DNS Name in the console. It ends with