Plugging a Symantec SSL Certificate into a AWS Load Balancer
Yesterday, Zanbato’s SSL certificate expired, and I had to swap in a new one. SSL is the protocol that secures communication between a client and server, and the SSL certificate allows a client to verify with a trusted 3rd party that the server is who they say they are.
Specifically to Zanbato, we use Symantec as our trusted 3rd party, and AWS to host our servers. On AWS, we use a load balancer to split traffic across multiple servers, and AWS allows you to setup your SSL certificate once on the load balancer instead of copying it across all of your servers. Getting the certificate live isn’t difficult, but it isn’t completely straightforward if you aren’t familiar with it, so here are the steps.
First, use openssl to create a certificate signing request. openssl should be installed by default on OSX and most linux distros.
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
openssl rsa -in yourdomain.key -out yourdomain.key.pem
For Symantec, include the common name (the domain) but don’t put a challenge password on it. The .key file is your private key, and the .csr file is the request you will submit to Symantec to get your certificate. The .pem file will be needed later for AWS.
Go through Symantec and all their stuff, and eventually, you will be issued a certificate from them. You should also setup your load balancer and test it out in the meantime since it will take a few days to get your certificate.
When that’s all ready, we can add the certificate to the load balancer. In the Symantec Trust Center, open the certificate and pick the manual installation. Switch it to X.509. In the EC2 console, open up the load balancer and “Edit Listeners”. Add the HTTPS protocol and change the certificate. Give it a name, and then fill it in with the following:
- Private Key: this is the yourdomain.key.pem from above. Copy-paste it in, and be careful not to leave stray newlines around
- Public Key Certificate: this is from Symantec and is called the “Entity Certificate”. Copy-paste it in
- Certificate Chain: these are the intermediate certificates from Symantec. There may be more than one, so you just have to copy-paste them on top of each other in the box. Strangely, you have to put the “secondary” certificate first.
Hit save, and see how it goes. AWS will yell at you if you did anything wrong. It should roughly give you the right place for where the error is, though the reason may be somewhat cryptic. After that, visit your site (you may need to use a fresh browser window), and you should see the lock in the address bar!