Last Updated: May 07, 2016
· analogj

How to Install an IIS SSL Certificate on to your Amazon Elastic Load Balancer

While getting my Amazon Elastic Beanstalk environment setup for my new Cloud Ebook Manager application QuietThyme, I came across a common use case that I couldn't find much documentation for. I needed to install an SSL certificate so that my Elastic Beanstalk site, which uses a preconfigured EC2 and Load Balancer, would support communication over HTTPS.

The first steps are common on any Windows IIS based environment.

Create Certificate Signing Request

  1. Open up Internet Information Services (IIS) Manager. Click the Server name on the left panel. Double-click the Server Certificates button in the Security Section. Picture

2.From the Actions menu on the right panel, click the Create Certificate Request link. This will open the Request Certificate Wizard.Picture

In the Distinguished Name Properties window, enter the following information:

Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
Organization - The legally registered name of your organization/company.
Organizational unit - The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
City/locality - The city in which your organization is located.
State/province - The state in which your organization is located.
Country/region - Your two-digit country code.

  1. In the Cryptographic Service Provider Properties window ensure the following settings are selected:

Cyptographic service provider: Microsoft RSA SChannel
Bit Length: 2048 or greater.

  1. Finally, enter a filename for your CSR file. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

  2. The process to transmit your CSR to your SSL certificate provider is out of scope, as the process is different for each provider. After you have transmitted the CSR, you are usually sent an email containing both the final Certificate and sometimes an Intermediate Certificate.

Complete Certificate Request

  1. Go back to your IIS Manager, and Click the Server Certificates button in the Security section under your web server.

  2. In the right panel, click the Complete Certificate Request link.

  3. Browse to your *.cer file that was provided to you by your SSL certificate provider. If you are not provided with a *.cer file, you can create your own by pasting everything (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into a new text file and saving it as *.cer. You will then be required to enter a friendly name. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate.

  4. At this point, pressing OK will install the certificate on the server. If you were also provided with an intermediate certificate, (you may need to create a *.cer file for it as well) just double-click the *.cer file and follow the default prompts.

  5. This is where the usual process for installing certificates on IIS servers diverges from Amazon's AWS Cloud. If you have an Elastic Beanstalk application, or you have an EC2 Server with a Load Balancer configured, you will need to complete the following steps as well.

Install OpenSSL

  1. You will need to install OpenSSL. You can download the correct version (32 or 64 bit) here: http://www.slproweb.com/products/Win32OpenSSL.html

There is a great post online that already explains how to do this which can be found here


Export your Completed SSL Certificate

Amazon's Elastic Load Balancers require that you provide the server private key and certificate in PEM format, however by default IIS only exports one *.pfx file that packages both. We can then use OpenSSL to extract the relevant information.

  1. You will first need to Export your newly installed IIS Certificate into a *.pfx file that OpenSSL can handle.

  2. Open IIS Manager. In the left hand pane select the Server Name

  3. In the middle window click the Server Certificates icon

  4. Select the certificate you wish to export

  5. in the right hand pane select Export

  6. Give the certificate a file name and password

Your certificate and private key has been exported to a .pfx file

Convert PFX to PEM files

  1. Export the private key from the pfx file

    openssl pkcs12 -in filename.pfx -nocerts -out key.pem

It will prompt you for an Import Password. You should enter in the one password you created when exporting the cert from IIS

  1. Export the certificate file from the pfx file

    openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

It will prompt you for an Import PasswordYou should enter in the one password you created when exporting the cert from IIS
Then it will prompt you for a PEM passphrase. Enter one if you’d like, then confirm it

  1. Remove the passphrase from the private key

    openssl rsa -in key.pem -out server.key

It will prompt for a pem passphrase. This would be the passphrase you created after command number 1 (if you did)

Configure ELB

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
  2. Click on the Load Balancer link under My Resources
  3. Select the load balancer you would like to install the SSL certificate on.
  4. In the bottom panel, click Listeners tab.
  5. In the new row, Configure the following:

    Microsoft IIS HTTPS 443 for Load Balancer port to 80 EC2 Instance Port

  6. Click the SSL Certificate choose link and set the following:
    Open the file server.key that was created from above with openssl and paste into the Private Key textbox
    Open the file cert.pem that was created from above with openssl and copy the text from —-BEGIN till the end of the file and paste that into Public Key Certificate textbox

  7. Hit Save button.

Enable HTTPS on Web Application

  1. In IIS Manager select your application under Sites
  2. Select Bindings under the Actions menu in the right panel.
  3. In the "Site Bindings" window, click "Add..." This will open the "Add Site Binding" window.
  4. Under "Type" choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443.
  5. Your SSL certificate is now installed, and the website configured to accept secure connections.

5 Responses
Add your response


Thank you for posting this!

over 1 year ago ·

Great post. Thanks for sharing!

over 1 year ago ·

Thank you so much!

over 1 year ago ·

I found some different opinion about this issue.
Can you please post also how to generate the KeyChain for the AWS Load Balancer?

Thanks, and great post!

over 1 year ago ·

After spending far too long searching for a solution your post has made me very happy thank you.

over 1 year ago ·