IIS SSL Certificate into Amazon Elastic Load Balancer

MWahl | December 7, 2011 | 9:12 am



Export SSL Certificate from IIS

  • Export your certificate from IIS 7 WITH the private key.
  • make sure to check the option PKCS #12 (.pfx)
  • I also checked the checkbox for “Include all certificates in the certification path if possible”

Here is a link for a tutorial on how to export your certificate

http://www.digicert.com/ssl-support/pfx-import-export-iis-7.htm

Now you should have your pfx file.

Convert the PFX file to PEM format

Next you will need to convert the PFX file to a valid pem format for the ELB.  In order to do this you will need the utility OpenSSL.

If you don’t have OpenSSL installed. You will need to. You can download the version (32 bit or 64 bit) you need below:

http://www.slproweb.com/products/Win32OpenSSL.html

There is a great post online that already explains how to do this which can be found here

http://www.petefreitag.com/item/16.cfm

For the ease of reading and to explain a bit futher I took the commands from the link above and insert them here as well.

First thing you need to do is open the windows command prompt and get to the directory where openssl is (if you did not put it in your PATH)

Command 1

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem

it will prompt you for an Import Password. I entered in the one I created when I exported the cert from IIS

Command 2

# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

it will prompt you for an Import Password: I entered in the one I created when I exported the cert from IIS.
Then it will prompt you for a PEM passphrase. Enter one if you’d like, then confirm it

Command 3

# This removes the passphrase from the private key so Apache won’t
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key

It will prompt for a pem passphrase. This would be the passphrase you created after command number 1 (if you did)

Upload the PEM format SSL into the Elastic Load balancer

Now it’s time to take the files you created from openssl and copy and paste them into the Elastic Load Balancer. I just uploaded it via the AWS Console Management UI. However they do have api tools as well you can do this with.

I configured the following on the ELB:

  • Microsoft IIS HTTP 80 for Load Balancer port to 80 EC2 instance Port
  • Microsoft IIS HTTPS 443 for Load Balancer port to 80 EC2 Instance Port

 

When prompted for the certificate keys do the following:

  • Open the file server.key that was created from above with openssl and paste into the Private Key textbox
  • Open the file cert.pem that was created from above with openssl and copy the text from —-BEGIN till the end of the file and paste that into Public Key Certificate textbox

Note: I did not put anything into the certificate chain

Finish configuring the rest of your Elastic Load Balancer

 

Categories
Amazon EC2

« »

Comments are closed.