AWS Load Balancer SSL limitations

{% raw %}
No one else seems to have documented this anywhere, so I'm gonna do it here.

Amazon Web Services has a great little load balancer system you can use.  A few clicks, and you're away to the races with a shiny load balancer of your own!  The best part?  It will even do SSL termination at the load balancer for you.  Just paste in your certs and away you go!  Right?

Wrong.  Seems like every time I do this, I end up with an invalid certificate at some stage of the game. Amazon doesn't tell you WHAT about your cert is wrong, or even what cert formats they want.  They just say "error: invalid private key".

I use a lot of Comodo certificates, which take about a day to generate.  I don't know why it takes them that long, maybe they're lovingly hand crafted by artisanal SSL certificate islanders on a small pacific island.  The point is, it takes for ever for them to respond to a request for a new cert, and that means I don't like to sit around regenerating certs in different formats at random until I figure out what Amazon wants.

So here's what I worked out - you can do this at home yourself.  I generated my private key and certificate request with the often used:
openssl req -new -nodes -keyout swearingatcomputers.key -out swearingatcomputers.csr
This is the lazy man's approach.  It doesn't bother me about a password for the key, I don't have to type two separate commands... I just get a nice quick key that I can use.  Comodo accepts the key and certificate request, and 24 hours later my signed public certificate and authority chain file are delivered in the mail.  When I set up SSL with Apache, this is fine.

But try and drop this into Amazon, and you get one of those mysterious messages "error: invalid private key".  Turns out your keys have to be RSA or DSA encrypted in order for Amazon to accept them.  To see if you're affected, just look at the first line of your key file.  If it says "BEGIN PRIVATE KEY", then read on.  If it says "BEGIN RSA PRIVATE KEY" or "BEGIN DSA PRIVATE KEY", then this won't interest you , sorry.

So to fix this problem, you SHOULD have used a slightly different command to generate that key:

openssl req -nodes -newkey rsa:2048 -keyout swearingatcomputers.key -out swearingatcomputers.csr
At this point, I started swearing at computers.  I have to wait another 24 hours for some pacific islander to meticulously hand-paint another cert?  Ridiculous!

But don't you fret.  You can actually convert the certs you have into RSA versions that Amazon will love. First, the private key:
openssl rsa -in swearingatcomputers.key -text
This will spit out all the calculations openssl has to do to read the key, and at the end - an RSA encrypted key!  Just copy and paste the RSA PRIVATE KEY section at the end (including the BEGIN and END lines) into a separate file, or into AWS directly, and there ya go!  

In order to make the public certificate match, you'll have to convert that, too.

openssl x509 -inform PEM -in swearingatcomputers.crt
BAM - out comes your fancy key for Amazon usage.

And that's it!  I'm happy SOMEONE took the time to document Amazon's SSL key requirements.  They make sense, they're smart requirements... but they have to be written somewhere for poor rubes like me.
{% endraw %}
comments powered by Disqus