AWS Elastic Load Balancer With GoDaddy SSL

Import GoDaddy SSL Certificate to AWS

This is a step-by-step procedure on how to install the Godaddy SSL certificate on AWS Elastic load balancer.

Generating an SSL Certificate:

To install an SSL certificate, you must generate and submit CSR (Certificate Signing Request) to CA (certificate authority). SSL certificates from Godaddy are supported by all secure web server software. CSR-generation instructions are available for the Web servers listed as below.,

• Nginx , Apache 2.x , Tomcat 4.x/5.x/6.x , Mac OS X Server 10.4, Mac OS X Server 10.6, Zeus Web Server 4.2, Microsoft IIS 5.x

For the entire list, check here

Generating a Certificate Signing Request (CSR) - Apache 2.x:

1. log in to your server terminal (SSH) and Check for the existence of OpenSSL. Try running the OpenSSL version command in the terminal to verify the same

2. Now generate CSR (Certificate Signing Request) by running the following command. When generating CSR, specify the key size as 2048

1. "openssl req -new -newkey rsa:2048 -nodes -out my-csr.pem -keyout private-key.pem"

3. Enter the requested information. If you enter '.', the field will be left blank.,

* Country Name (2 letter code): The two-letter International Organization for Standardization (ISO) format

* State or Province Name: Where your organization is located

* Locality Name: Such as city

* Organization Name (eg, company): The name under which your business is legally registered

* Organizational Unit Name (eg, section): Optional, Use this field to differentiate between divisions within an organization

* Common Name (e.g. server FQDN or YOUR name): The name entered in the "CN" (common name) field of the CSR, MUST be the fully-qualified domain name of the website for which you will be using the certificate (e.g., "www.domainnamegoeshere"). Do not include the "https://" or "https://" prefixes in your common name. Do NOT enter your personal name in this field.

If you are requesting a Wild Card certificate, please add an asterisk (*) on the left side of the common name (e.g., "*.domainnamegoeshere.com"). This will secure all subdomains of the common name. You should get two files from this step, my-csr.pem and private-key.pem.

4. Open the csr.pem file and copy all the text (including the begin and end delimiters)

5. Go to Godaddy manage certificate page and paste the full CSR into the SSL enrollment. Once the certificate is ready, download the certificate. Unzip the downloaded file and you will get gd_bundle.crt and yourdomain.crt

Setting SSL on Amazon Elastic load balancer:

We are using Amazon web services on our sites and so we are using an Amazon ELB (Elastic Load Balancer) to handle the traffic.

SSL setup:

In the Amazon web console, go to the Amazon ELB page. when you click on ELB, you get its properties at the bottom of the page.

Click on the listener tab and you will see ports that are currently enabled. If you want to add an SSL certificate then change the first drop-down to HTTPS, then the entire row changes so that you can enter the appropriate information.?

In this row, Load Balancer Protocol and Load Balancer port are set to "HTTPS" and "443". The instance protocol and Instance Post are set to  "HTTP" and "80". You need to specify an SSL certificate for HTTPS or SSL listeners. Specifying a cipher policy is optional, a default policy will be used if none is specified.

Upload Certificate: 

When you click the select link, you will get the following dialog.

You need to enter the following information in the dialog,

Certificate Name:

The name you want to track your certificates with.

Private Key: The private key is that you generated along with your certificate request(refer point3 in SSL certificate generation). To get Amazon supported private key, you need to use OpenSSL in the following way.

1.  "openssl rsa -in private-key.pem -out decrypted-private-key.pem"

Open the decrypted-private-key.pem and copy all the tests including the begin and end delimiters. Paste that into Private Box in the dialog.

Public Key Certificate:

- Provided by your certificate authority (GoDaddy SSL). The public certificate is the domain-specific file that you receive, in our case, yourdomain.crt. This format must be changed as per Amazon's standard.

1.  "openssl x509 -inform PEM -in yourdomain.crt"

Copy the entire block and paste that into the Public Key box in the dialog.

Certificate Chain

– An optional group of certificates to validate your certificate.

The AWS dialog will give you an error message if any of the fields contain an invalid value. Finally, test your new configuration by going to https://yourdomain.