Amazon Web Services Elastic Load Balancer on HTTPS

  • 26 July 2016
    • Amazon
amazon-web-services-elastic-load-balancer

Public-key cryptography, also called asymmetric cryptography, is a communication where people exchange messages that can only be read by one another.

The certificate is a container for the public key. It includes the public key, the server name, some extra information about the server and a signature computed by a certification authority. When the server sends its public key to a client, it actually sends its certificate, with a few other certificates (the certificate which contains the public key of the CA which signed its certificate, and the certificate for the CA which signed the CA's certificate, and so on). Certificates are intrinsically public objects.

Some people use the term "certificate" to designate both the certificate and the private key; this is a common source of confusion. I personally stick to the strict definition for which the certificate is the signed container for the public key only.

A ".pfx" file is a PKCS#12 archive: a bag which can contain a lot of objects with optional password protection; but, usually, a PKCS#12 archive contains a certificate (possibly with its assorted set of CA certificates) and the corresponding private key.

On the other hand, a ".cert" (or ".cer" or ".crt") file usually contains a single certificate, alone and without any wrapping (no private key, no password protection, just the certificate).

To run an AWS ELB on HTTPS you’ll need to install your public and private keys on the load balancer itself. To do this you’ll need the private key from your webserver. So once you’ve installed the certificate on any of the web servers for your load balancer you can follow these steps to export your .pfx file.

Export .pfx file:

  1. Click on the Start menu and click Run.
  2. Type in mmc and click OK.
  3. Click on the File menu and click Add/Remove Snap-in...
  4. Click on the Add button. Double-click on Certificates.
  5. Click on Computer Account and click Next.
  6. Leave Local Computer selected and click Finish.
  7. Click the Close button. Click OK.
  8. Click the plus sign next to Certificates in the left pane.
  9. Click the plus sign next to the Personal folder and click on the Certificates folder. Right-click on the certificate you would like to export and select All Tasks and then Export...
  10. In the Certificate Export Wizard click Next.
  11. Choose "Yes, export the private key" and click Next.
  12. Click the checkbox next to "Include all certificates in the certification path if possible" and click Next.
  13. Enter and confirm a password. This password will be needed whenever the certificate is imported to another server.
  14. Click Browse and find a location to save the .pfx file to. Type in a name such as "mydomain.pfx" and then click Next.
  15. Click Finish. The .pfx file containing the certificates and the private key is now saved to the location you specified.

Now that you have your private key file you’ll need to extract the private and public keys to use on AWS. You’ll need to download a program called OpenSSL (http://slproweb.com/products/Win32OpenSSL.html) . Then follow these steps below to extract the different keys.

Extract keys from .pfx file:

  1. To extract the private key:
    openssl.exe pkcs12 -in
  2. The generated private key file (priv.pem) will be password protected, to remove the pass phrase from the private key.
    openssl.exe rsa -in priv.pem -out priv.pem
  3. Next step is extracting the public key certificate from the pfx file, there is a direct command in OPENSSL to extract the public key certificate from the pfx file but the generated file will contain public key certificate and some other information. To extract only public key certificate first we need to convert the pfx file to pem which contains both private and public key, and then extract the public key certificate from this pem file:
    openssl.exe pkcs12 -in ClientCert1.pfx -out privpub.pem
  4. The generated pem contains both private and public keys, use the following command to extract only the public key certificate:
    openssl x509 -inform pem -in privpub.pem -pubkey -out pub.pem -outform pem

After extracting the required keys you can add them in AWS. Go to EC2, load balancer, and choose edit listeners on your specific load balancer. You view the .pem files as text and copy the contents from pub.pem into the public key field and the contents from priv.pem into the private key field. Note the chain is in most cases required for better support. For example without the chain the website could say “untrusted” when viewing on mobile. The chain is composed of all the certificates from the ".cert" (or ".cer" or ".crt") file. For example :

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

And there you have it, your websites should now be running on https as long as everything has been configured correctly on the IIS of all the respective webservers.