This post will talk about how to get your IIS SSL Certificate into the Amazon Elastic Load Balancer. The trickiest part about this process is that you need to conver the IIS PFX file into the PEM format (since that is what the ELB's want).
The steps/concepts will be as follows
- Export SSL Certificate from IIS
- Convert the PFX file to PEM format
- Upload the PEM format SSL into the Elastic Load balancer
Export SSL Certificate from IIS
- Export your certificate from IIS 7 WITH the private key.
- make sure to check the option PKCS #12 (.pfx)
- I also checked the checkbox for "Include all certificates in the certification path if possible"
Here is a link for a tutorial on how to export your certificate
http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm
Now you should have your pfx file.
Convert the PFX file to PEM format
Next you will need to convert the PFX file to a valid pem format for the ELB. In order to do this you will need the utility OpenSSL.
If you don't have OpenSSL installed. You will need to. You can download the version (32 bit or 64 bit) you need below:
http://www.slproweb.com/products/Win32OpenSSL.html
There is a great post online that already explains how to do this which can be found here
http://www.petefreitag.com/item/16.cfm
For the ease of reading and to explain a bit futher I took the commands from the link above and insert them here as well.
First thing you need to do is open the windows command prompt and get to the directory where openssl is (if you did not put it in your PATH)
Command 1
# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
it will prompt you for an Import Password. I entered in the one I created when I exported the cert from IIS
Command 2
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
it will prompt you for an Import Password: I entered in the one I created when I exported the cert from IIS.
Then it will prompt you for a PEM passphrase. Enter one if you'd like, then confirm it
Command 3
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key
It will prompt for a pem passphrase. This would be the passphrase you created after command number 1 (if you did)
Upload the PEM format SSL into the Elastic Load balancer
Now it's time to take the files you created from openssl and copy and paste them into the Elastic Load Balancer. I just uploaded it via the AWS Console Management UI. However they do have api tools as well you can do this with.
I configured the following on the ELB:
- Microsoft IIS HTTP 80 for Load Balancer port to 80 EC2 instance Port
- Microsoft IIS HTTPS 443 for Load Balancer port to 80 EC2 Instance Port
When prompted for the certificate keys do the following:
- Open the file server.key that was created from above with openssl and paste into the Private Key textbox
- Open the file cert.pem that was created from above with openssl and copy the text from ----BEGIN till the end of the file and paste that into Public Key Certificate textbox
Note: I did not put anything into the certificate chain
Finish configuring the rest of your Elastic Load Balancer
This should do it. Now your SSL certificate is configured for the ELB and SSL will now terminate at the ELB level and not your server level.
Subscribe