While getting my Amazon Elastic Beanstalk environment setup for my new Cloud Ebook Manager application QuietThyme, I came across a common use case that I couldn't find much documentation for. I needed to install an SSL certificate so that my Elastic Beanstalk site, which uses a preconfigured EC2 and Load Balancer, would support communication over HTTPS.
The first steps are common on any Windows IIS based environment.
Create Certificate Signing Request
- Open up Internet Information Services (IIS) Manager. Click the Server name on the left panel. Double-click the Server Certificates button in the Security Section.
2.From the Actions menu on the right panel, click the Create Certificate Request link. This will open the Request Certificate Wizard.
In the Distinguished Name Properties window, enter the following information:
Common Name - The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
Organization - The legally registered name of your organization/company.
Organizational unit - The name of your department within the organization (frequently this entry will be listed as "IT," "Web Security," or is simply left blank).
City/locality - The city in which your organization is located.
State/province - The state in which your organization is located.
Country/region - Your two-digit country code.
- In the Cryptographic Service Provider Properties window ensure the following settings are selected:
Cyptographic service provider: Microsoft RSA SChannel
Bit Length: 2048 or greater.
Finally, enter a filename for your CSR file. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.
The process to transmit your CSR to your SSL certificate provider is out of scope, as the process is different for each provider. After you have transmitted the CSR, you are usually sent an email containing both the final Certificate and sometimes an Intermediate Certificate.
Complete Certificate Request
Go back to your IIS Manager, and Click the Server Certificates button in the Security section under your web server.
In the right panel, click the Complete Certificate Request link.
Browse to your *.cer file that was provided to you by your SSL certificate provider. If you are not provided with a *.cer file, you can create your own by pasting everything (including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) into a new text file and saving it as *.cer. You will then be required to enter a friendly name. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate.
At this point, pressing OK will install the certificate on the server. If you were also provided with an intermediate certificate, (you may need to create a *.cer file for it as well) just double-click the *.cer file and follow the default prompts.
This is where the usual process for installing certificates on IIS servers diverges from Amazon's AWS Cloud. If you have an Elastic Beanstalk application, or you have an EC2 Server with a Load Balancer configured, you will need to complete the following steps as well.
- You will need to install OpenSSL. You can download the correct version (32 or 64 bit) here: http://www.slproweb.com/products/Win32OpenSSL.html
There is a great post online that already explains how to do this which can be found here
Export your Completed SSL Certificate
Amazon's Elastic Load Balancers require that you provide the server private key and certificate in PEM format, however by default IIS only exports one *.pfx file that packages both. We can then use OpenSSL to extract the relevant information.
You will first need to Export your newly installed IIS Certificate into a *.pfx file that OpenSSL can handle.
Open IIS Manager. In the left hand pane select the Server Name
In the middle window click the Server Certificates icon
Select the certificate you wish to export
in the right hand pane select Export
Give the certificate a file name and password
Your certificate and private key has been exported to a .pfx file
Convert PFX to PEM files
Export the private key from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
It will prompt you for an Import Password. You should enter in the one password you created when exporting the cert from IIS
Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
It will prompt you for an Import PasswordYou should enter in the one password you created when exporting the cert from IIS
Then it will prompt you for a PEM passphrase. Enter one if you’d like, then confirm it
Remove the passphrase from the private key
openssl rsa -in key.pem -out server.key
It will prompt for a pem passphrase. This would be the passphrase you created after command number 1 (if you did)
- Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
- Click on the Load Balancer link under My Resources
- Select the load balancer you would like to install the SSL certificate on.
- In the bottom panel, click Listeners tab.
In the new row, Configure the following:
Microsoft IIS HTTPS 443 for Load Balancer port to 80 EC2 Instance Port
Click the SSL Certificate choose link and set the following:
Open the file server.key that was created from above with openssl and paste into the Private Key textbox
Open the file cert.pem that was created from above with openssl and copy the text from —-BEGIN till the end of the file and paste that into Public Key Certificate textbox
Hit Save button.
Enable HTTPS on Web Application
- In IIS Manager select your application under Sites
- Select Bindings under the Actions menu in the right panel.
- In the "Site Bindings" window, click "Add..." This will open the "Add Site Binding" window.
- Under "Type" choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443.
- Your SSL certificate is now installed, and the website configured to accept secure connections.