AWS Elastic load balancer with GoDaddy SSL
This is a step by step procedure on how to install Godaddy SSL certificate on AWS Elastic loadbalancer.
Generating a SSL Certificate:
To install SSL certificate, you must generate and submit CSR (Certificate Signing Request) to CA (certificate authority). SSL certificates from Godaddy are supported by all secure webserver software. CSR-generation instructions are available for the Web servers listed as below.,
- Nginx , Apache 2.x , Tomcat 4.x/5.x/6.x , Mac OS X Server 10.4, Mac OS X Server 10.6, Zeus Web Server 4.2, Microsoft IIS 5.x
For the entire list, check here
Generating a Certificate Signing Request (CSR) - Apache 2.x:
1. Login to your server terminal (SSH) and Check for the existence of openssl. Try running openssl version command in terminal to verify the same
2. Now generate CSR (Certificate Signing Request) by running the following command. When generating CSR, specify key size as 2048
3. Enter the requested information. If you enter '.', the field will be left blank.,
* Country Name (2 letter code): The two-letter International Organization for Standardization (ISO) format
* State or Province Name: Where your organization is located
* Locality Name : Such as city
* Organization Name (eg, company) : The name under which your business is legally registered
* Organizational Unit Name (eg, section) : Optional, Use this field to differentiate between divisions within an organization
* Common Name (e.g. server FQDN or YOUR name) : The name entered in the "CN" (common name) field of the CSR, MUST be the fully-qualified domain name of the website for which you will be using the certificate (e.g., "www.domainnamegoeshere"). Do not include the "http://" or "https://" prefixes in your common name. Do NOT enter your personal name in this field.
If you are requesting a Wild Card certificate, please add an asterisk (*) on the left side of the common name (e.g., "*.domainnamegoeshere.com"). This will secure all subdomains of the common name. You should get two files from this step, my-csr.pem and private-key.pem.
4. Open the csr.pem file and copy all the text (including the begin and end delimiters)
5. Go to Godaddy manage certificate page and paste the full CSR into the SSL enrollment. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt
Setting SSL on Amazon Elastic load balancer:
We are using Amazon web services to our sites and so we are using an Amazon ELB (Elastic Load Balancer) to handle traffic.
In Amazon web console, go to Amazon ELB page. when you click on ELB, you get it's properties in the bottom of the page.
Click on the listener tab and you will see ports that are currently enabled. If you want to add SSL certificate then change the first drop-down to HTTPS, then the entire row changes so that you can enter the appropriate information.?
In this row, Load Balancer Protocol and Load Balancer port are set to "HTTPS" and "443". The instance protocal and Instance Post are set to "HTTP"and "80". You need to specify an SSL certificate for HTTPS or SSL listeners. Specifying a cipher policy is optional, a default policy will be used if none is specified.
When you click the select link, you will get the following dialog.
You need to enter the following information in the dialog,
Certificate Name: The name you want to track your certificates with.
Private Key : The private key is that you generated along with your certificate request(refer point3 in SSL certificate generation). To get Amazon supported private key, you need to use openssl in following way.
Open the decrypted-private-key.pem and copy all the test including the begin and end delimiters. Paste that in to Private Box in the dialog.
Public Key Certificate: - Provided by your certificate authority (GoDaddy). The public certificate is the domain-specific file that you receive, in our case, yourdomain.crt. This format must be changed as per Amazon's standard.
Copy the entire block and paste ithat in to the Public Key box in the dialog.
Certificate Chain – An optional group of certificates to validate your certificate.
The AWS dialog will give you an error message if any of the fields contains an invalid value. Finally, test your new configuration by going to https://yourdomain.