Once you complete process of generating CSR for Amazon Web Services, Next step is you need to install SSL on Amazon Web Services (AWS). Once certificate authority (CA) validates your domain name, they will send you a verification link on your registered email address, which is associated with your domain name. Once your domain is validated, CA will send you final certificate in Zip file attachment.
You will receive following Certificate Chain Files in Zip folder, Which are used to set up your SSL on Amazon Web Services:
1) Root certificate (root.crt)
2) Intermediate certificate (intermediate1.crt)
3) Intermediate certificate (intermediate2.crt)
4) Public certificate issued for your domain (yourdomain.crt)
Convert Certificate Private key and Certificate Chain Files into .PEM format:
First, All your certificate files including private key (awsserver.key) and Certificate Chain (root and intermediate certificates) needs to be converted into .PEM format using Amazon Identity and Access Management Service (IAM).
Enter below OpenSSL command to convert Private Key file in .PEM format:
openssl rsa -in awsserver.key -outform PEM > server.private.pem
Enter below command to convert certificate chain file in .PEM format:
openssl x509 -inform PEM -in certificate_chain_file
Next, You can upload your SSL certificate files to your Amazon Web Services. So, you will require to combine root and intermediate certificate into a single-bundle.crt file for that you can use below command:
cat intermediate1.crt intermediate2.crt root.crt > ssl-bundle.crt
Upload Certificate Files through AWS CLI (Command Line Interface):
Now, upload CA bundle file, private key and main certificate with below single command through AWS CLI (Command Line Interface):
$ aws iam upload-server-certificate --server-certificate-name ExampleCertificate --certificate-body file://Certificate.pem --certificate_chain_file file://CertificateChain.pem --private-key file://awsserver.pem
IAM will confirm Certificate Details:
IAM will confirm following details, when you upload a certificate:
– Private key (.key) and the certificate (.crt) issued for domain are must be X509 PEM-encoded.
– The Certificate’s validity period including issuance and expiration date.
– CA bundle and private key contains one certificate and one key.
– Unencrypted private key (without password)
– The format of private key must be in correct format with begin and ends tag as following:
-----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
Verify your Uploaded SSL certificate:
After uploading is completed, run the below command for viewing and retrieving the uploaded certificate using “certificate_object_name”:
aws iam get-server-certificate --server-certificate-name certificate_object_name
Update certificate on running HTTPS Load Balancer:
Generate Amazon Resource Name (ARN) of SSL Certificate using below AWS CLI command through IAM:
– Your_AWS_Account_ID means unique Amazon Resource Name (ARN), Amazon Resource Name (ARN) for your certificate will be used to update your load balancer configuration settings to use HTTPS.
– Certificate_Object_GUID is the ID of the certificate.
Note: To store and deploy Certificate, you can use either IAM API or ACM tools.
Next, Create HTTPS listener to assign SSL certificate on the load balancers that will accept HTTPS requests on port 443 and send request on port 80 using HTTP. It can be done by following command:
aws elb create-load-balancer-listeners --load-balancer-name my-load-balancer --listeners Protocol=HTTPS,LoadBalancerPort=443,InstanceProtocol=HTTP,InstancePort=80,SSLCertificateId=ARN
Check SSL Certificate Installation
Now, You can check SSL certificate is successfully installed on Amazon Web Services (AWS) with tool such as SSL certificate Analyzer of Comodo and verify details of certificate installation.