Very likely you are familiar with HTTP and HTTPS. HTTPS is a secure method to access different sites. Those sites are providing a certificate that lets the browser know who they are. Actually the certificates are electronic documents that are used to prove the ownership of a public key. The certificates are signed by entities, called certificate authorities. When the browser is presented a certificate and the signature is recognized and trusted, then the browser knows that the key is valid.

VMware Training – Resources (Intense)

IAM works with X.509 public key certificates. X.509 is a standard for public key information and privilege management infrastructure. Among many other things, X.509 specifies standards for digital certificates. You can find more about this by reading these articles: X.509 and Public key certificate.

One application of using certificates is to allow HTTPS access for Elastic Load Balancing.

Actually, the server certificates can be used with CloudFront and AWS OpsWorks as well.

To be able to use a certificate, these are the steps that you need to take, starting at creating the certificate and uploading the certificate to IAM:

  • Install and configure OpenSSL
  • Create the private key
  • Create the CSR(Certificate Signing Request)
  • Send the CSR to CA(Certificate Authority)
  • Upload the certificate

One thing that you should be aware is that to upload the certificate, you will need to use AWS CLI. There is no way to upload it using AWS Management console or IAM console.

OpenSSL is a tool that supports TLS and SSL protocols. As the name says, this is an open source tool and allows you to create a RSA token and sign it with a private key.

I’m not going to explain how to install and configure OpenSSL. This can be found quickly on the internet.

So let’s go ahead and create the private key using this command:

[ec2-user@EC2-REDHAT-01 ~]$ openssl genrsa 2048 > my_private_key.pem
Generating RSA private key, 2048 bit long modulus
.......+++
........................................................+++
e is 65537 (0x10001)
[ec2-user@EC2-REDHAT-01 ~]$

The next step is to create the CSR (Certificate Signing Request) using this command:

[ec2-user@EC2-REDHAT-01 ~]$ openssl req -new -key my_private_key.pem -out csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:New York
Organization Name (eg, company) [Default Company Ltd]:IS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:LB-1837563401.us-east-1.elb.amazonaws.com
Email Address []:admin@us-east-1.elb.amazonaws.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[ec2-user@EC2-REDHAT-01 ~]$

The next step would be to submit the CSR to a Certificate Authority. I’m not going to do this as the certificate that I’m creating is for testing purposes. Instead, I will create a self signed certificate based on the CSR that I previously created using this command:

[ec2-user@EC2-REDHAT-01 ~]$ openssl x509 -req -days 365 -in csr.pem -signkey my_private_key.pem -out certificate.crt
Signature ok
subject=/C=US/L=New York/O=IS/OU=IT/CN=LB-1837563401.us-east-1.elb.amazonaws.com/emailAddress=admin@us-east-1.elb.amazonaws.com
Getting Private key
[ec2-user@EC2-REDHAT-01 ~]$

Later, there will be a problem with this certificate because is self signed and it will be reported as invalid. The purpose of this article is to show you how you can use the server certificates and how to check them on your browser settings.

It’s time to upload the certificate on IAM.

When you are uploading the certificate, you will need three files:

  • The server certificate in PEM format
  • The private key in PEM format
  • Certificate chain file

We are going to use the first two because we don’t have the third one. The certificate chain is a daisy chained certificate, which can be represented like this: root-CA – sub-CA1 – sub-CA2 – SSL client/server certificate. Basically if the browser trusts root-CA and the certificate is signed by sub-CA2, then the browser implicitly trusts the certificate.

When a certificate is uploaded, IAM is checking if all these conditions are met:

  • Certificate is in X.509 format
  • The upload date is between the start and end date of the certificate
  • The private key must be identical with the public key from the certificate
  • Private and public certificate files have to contain only one certificate
  • The private key must be in PEM format and a RSA private key
  • If a certificate chain is used, then all the intermediary certificates must be included

As I mentioned, you need to use AWS CLI to do this. Let’s check if we have any before uploading it and then check again after it was uploaded:

[ec2-user@EC2-REDHAT-01 ~]$ aws iam list-server-certificates
{
    "ServerCertificateMetadataList": []
}
[ec2-user@EC2-REDHAT-01 ~]$ aws iam upload-server-certificate --server-certificate-name my-certificate --certificate-body file://certificate.crt --private-key file://my_private_key.pem
{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "ASCAJDDJK47L4BANACYJM",
        "ServerCertificateName": "my-certificate",
        "Expiration": "2015-09-14T10:29:41Z",
        "Path": "/",
        "Arn": "arn:aws:iam::XXXXXXXXXXXX:server-certificate/my-certificate",
        "UploadDate": "2014-09-14T10:37:18.424Z"
    }
}
[ec2-user@EC2-REDHAT-01 ~]$ aws iam list-server-certificates
{
    "ServerCertificateMetadataList": [
        {
            "ServerCertificateId": "ASCAJDDJK47L4BANACYJM",
            "ServerCertificateName": "my-certificate",
            "Expiration": "2015-09-14T10:29:41Z",
            "Path": "/",
            "Arn": "arn:aws:iam::XXXXXXXXXXXX:server-certificate/my-certificate",
            "UploadDate": "2014-09-14T10:37:18Z"
        }
    ]
}
[ec2-user@EC2-REDHAT-01 ~]$

Now that we are here, let’s see how to view the content of the certificate and how to delete it:

[ec2-user@EC2-REDHAT-01 ~]$ aws iam get-server-certificate --server-certificate-name my-certificate
{
    "ServerCertificate": {
        "CertificateBody": "-----BEGIN CERTIFICATE-----\nMIIDvjCCAqYCCQDT6z7HaWiWgzANBgkqhkiG9w0BAQUFADCBoDELMAkGA1UEBhMC\nVVMxETAPBgNVBAcMCE5ldyBZb3JrMQswCQYDVQQKDAJJUzELMAkGA1UECwwCSVQx\nMjAwBgNVBAMMKUxCLTE4Mzc1NjM0MDEudXMtZWFzdC0xLmVsYi5hbWF6b25hd3Mu\nY29tMTAwLgYJKoZIhvcNAQkBFiFhZG1pbkB1cy1lYXN0LTEuZWxiLmFtYXpvbmF3\ncy5jb20wHhcNMTQwOTE0MTAyOTQxWhcNMTUwOTE0MTAyOTQxWjCBoDELMAkGA1UE\nBhMCVVMxETAPBgNVBAcMCE5ldyBZb3JrMQswCQYDVQQKDAJJUzELMAkGA1UECwwC\nSVQxMjAwBgNVBAMMKUxCLTE4Mzc1NjM0MDEudXMtZWFzdC0xLmVsYi5hbWF6b25h\nd3MuY29tMTAwLgYJKoZIhvcNAQkBFiFhZG1pbkB1cy1lYXN0LTEuZWxiLmFtYXpv\nbmF3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSuuc/77Fu\npLb+dN/bO2Ld4aD13/5FwK+UfYz0BuojgKp9uUs3QxH8X9Ti4C8HxEp4pkG4S/36\n0rPOO1mTui8k9Ut7M47CjwW7lyWS9cIDcpno3X2Fbt3azjIV3icZ0Edm6aPzTVoX\nhgveH/ODfLX0B/x2GUJ0HRYC0OYLjZ/KyXMZIk78tbhj1GSL8MchpWqAvSHNBM9j\nM6hpmiQvXR5VbvQzmcBVQRbkgw4sRoiOvhIGYnihyDbG2phvKKl9X4QR+DI2lBri\ntqKCi8+8rWzdNjUbEaVs98Ib7KGSRpHUijWelKPNJ1vYspGrs2471DZixUjP6e0L\nj3p35nRs672zAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAHs+qmhH4cCGCSqBSc6W\nXgE77dLS1jUPkgFXgE0TsFVOTWQIfSDCnjwTrru4qOLk9HOtNUe6+aFy6SUdMEEW\nIJmTYoVBY6/+/rmsxmThFDcCW5bjudrvOYisoOcKZ6c142zSJyozXk4AaJm3o8lx\nBcztJ0dPSob5yt6D5TodElTu5HHyZRNWb9SpTF7C137sdiCZmouPXQ4ZIIEFqDjW\n+AySbAUYfgGUL8VoxQU/R22AfeIS9BCeehuQRGU6B/iO5K4bsUkwqxsRImTupefP\nKEZ+vyes4eZ8kk2z9v6VBec6Tp9vDwyuac5xTH0JdfYgDdKmAFoX6LoSxWApwZMY\nZN8=\n-----END CERTIFICATE-----",
        "ServerCertificateMetadata": {
            "ServerCertificateId": "ASCAJDDJK47L4BANACYJM",
            "ServerCertificateName": "my-certificate",
            "Expiration": "2015-09-14T10:29:41Z",
            "Path": "/",
            "Arn": "arn:aws:iam::XXXXXXXXXXXX:server-certificate/my-certificate",
            "UploadDate": "2014-09-14T10:37:18Z"
        }
    }
}
[ec2-user@EC2-REDHAT-01 ~]$ aws iam delete-server-certificate --server-certificate-name my-certificate
[ec2-user@EC2-REDHAT-01 ~]$ aws iam list-server-certificates
{
    "ServerCertificateMetadataList": []
}
[ec2-user@EC2-REDHAT-01 ~]$

I added back the same certificate so we can continue with our article.

Now that we have the certificate, what do we do with it? What it is used for?

In one of the past articles, How to Deploy High Availability and Load-Balancing in Amazon AWS, we discussed how to use an Elastic Load Balancers to act like a proxy for two servers that were running WordPress. You were accessing the ELB URL address and the ELB was redirecting you to one of the two servers. In this way, high availability and load balancing was achieved.

But what if you want to use HTTPS instead of HTTP? How can you do that?

I already created an ELB that uses only HTTP as listener:

Let’s add another listener for HTTPS:

As you can see, if you try to save the change, you are told that you need to specify a SSL certificate. How do you add one?

Click on “Change” under “SSL Certificate” column:

Because we already uploaded the certificate, we can go directly and use it. If the certificate wasn’t uploaded, you could do that when you were trying to use a certificate for the first time. You will be asked for a name of the certificate, private key and public key.

Click on “Save”, and you will be sent to the Listeners configuration:

By default there is a security policy to negotiate the SSL connections between clients and the load balancer. You can see it by clicking on “Change” under “Cipher” column:

Once you have finished with the listeners configuration, you can go ahead and save it:

In this case, the ELB can be accessed by using this DNS name: LB-1837563401.us-east-1.elb.amazonaws.com

Let’s see what happens when you access it from a browser. Just remember that if you want to use HTTPS, the URL must be https://LB-1837563401.us-east-1.elb.amazonaws.com/wordpress/

One thing that you should be aware of, by default, only HTTP is allowed on inbound. Once you plan to use HTTPS, you need to edit the security group and add HTTPS as well.

As you can see, you are warned that the certificate used by the website is not signed by a trusted CA. We generated our own certificate. But as I said, this is for testing purposes. So let’s go ahead and check the certificate:

As you can see, the details provided by the browser match the details used when we created the certificate.

And we successfully applied our server certificate to an ELB.

In this article we learned how to create:

  • A private key
  • A certificate signing request
  • A self signed certificate

Also, we now know how to upload, list and delete server certificates in AWS IAM and as a bonus, I showed you a use case for the server certificates in AWS.

Reference

  1. Managing Server Certificates
  2. SSL Certificate for Elastic Load Balancing