Some admins may enjoy the SSL Certificate that the Amazon Web Services (AWS) initially provides, but an admin may want to get or set up their own SSL Certificate from an outside CA. To do this they will have to generate a Certificate Signing Request (CSR). A CSR is a small encrypted piece of text which contains information about a certificate applicant and the domain name to secure. Once you activate the certificate with the help of CSR, the information passes to the Certificate Authority which validates the certificate based on the information from the CSR.
The RSA private key is generated along with the CSR and plays an important role in encrypting the information. It should be stored safely on the server and not be compromised.
Their are two ways to generate a CSR for AWS. You can use OpenSSL through their putty that they supply or If you are looking for a simpler way to create CSRs and install and manage your SSL certificates, we recommend using the DigiCert Certificate Utility for Windows.
These instructions will go over the simpler way of CSR generation using the Digicert Certificate Utility for Windows.
Things to know:
- If you use the utility to generate a CSR for an SSL Certificate then once the certificate is issued you will have to import your SSL Certificate using the utility to successfully configure your SSL certificate for binding into IIS, exporting as pfx format, exporting it as a .pem format, etc..
- The Digicert Certificate Utility for SSL Certificates Automatically refers to the Windows account certificate stores on the Windows system.
- After installation you can export the certificate in an Apache .pem, .crt-.key format or a Windows pkcs12 .pfx format. Appling the certificate to what ever systems require it such as AWS.
Downloading and Installing The Digicert Certificate Utility.
- On your Windows server or workstation, download and save the Digicert Certificate Utility for Windows executable (DigiCertUtil.exe).
- Run the Digicert Certificate Utility for Windows by Double-click DigiCertUtil.
Congrats you have downloaded and installed the Digicert Certificate Utility.
How To Generate a CSR:
To generate a CSR to get an SSL Certificate perform the following.
- Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
- In the Digicert Certificate Utility, Click SSL.
- Click Create CSR.
- In the Create CSR window under Certificate Type: select SSL.
- In the Certificate Details fill out the following fields:
- Common Name: The Fully Qualified Domain Name that the certificate will be issued to and secure. for example www.yourdomain.com or if you are enrolling for a wildcard certificate *.yourdomain.com
- Organization: Specify the legal name of your organization.
- Department (optional): Enter the sub team or organizational unit that this SSL Certificate pertains to. Examples: Marketing, Mobile gaming, SSL Support Desk, IT, Etc..
- City: Legal corporate headquarters. Example Boston.
- State: Enter the state or province where your legal corporate headquarters is located.
Note: The state your organization is located in or if you’re creating a CSR for a location outside of the USA, you can enter anything into the list. It will accept any state name you type. - Country: From the drop down menu select the county.
- Keysize: Any will do. (Leave at default).
- Provider: Leave at default.
- When all the information has been filled click Generate.
- You will get another window that will display your CSR request. Copy the text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the your CA order form.
- When you are done, click Close.
Congrats you have just created you have just generate your CSR. During the enrollment of your SSL Certificate the CA should provide you with a field to paste this CSR into.
Note: Depending on the CA when enrolling they may ask you for a Server or Format type you would like for your certificate. Select either Microsoft/Windows or pkcs7. This will ensure you receive your certificate and all its required intermediates in one file, and will make installation back into the Digicert Utility easier.
After the SSL Certificate gets issued you will then Import your SSL Certificate back into the utility.
How to Install Your New SSL Certificate Into The Digicert Certificate Utility:
After you have enrolled for your SSL Certificate using a CSR generated from the utility you will then have to Import/Install the SSL Certificate after it gets issued. The CA should give you a pkxs7 format certificate also known as a .p7b. The way they give you this certificate will vary.
Save and move this .p7b file to the system where you have created the CSR using the Utility on.
To complete and install your SSL Certificate perform the following.
- Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
- In the Digicert Certificate Utility, Click SSL.
- Click Import.
- In the Certificate Import window click Browse.. and Open to specify the location and path of your SSL Certificate. Change the file type to either PKCS#7 Certificates (*.p7b) or All from the drop down to find your certificate.
- After specifying the location and path of the file click Next.
- You will see information about the certificate you have selected to import. In the Enter a new friendly name or you can accept the default field type a friendly name for the certificate. Something unique so that you can quickly identify this certificate.
- Click Finish.
- You should get confirmation that the certificate has been successfully install and see it within your list of code signing certificates.
Note: If you get an error that states “Private Key Missing” this is due to the following causes…- You did not create the CSR/Private key on this machine:
Resolutions:- Make sure you are on the correct system that has the Digicert Certificate Utility installed where you generated the CSR from.
- If you lost your private key or if the system where the CSR was generated using the Utility blew up then you will have to start from scratch by generating a new CSR, and performing a reissue/rekey of your SSL Certificate.
- You are installing the a wrong certificate:
Resolutions:- Make sure you are installing the correct certificate. Typically once the certificate is on your desktop as a .p7b file you can double click on it to read the information. make sure the certificate or one of the certificates in its chain is issued to your organization with the correct dates.
- You did not create the CSR/Private key on this machine:
Congrats you have just installed your SSL Certificate using the Digicert Certificate Utility for SSL.
Exporting your SSL Certificate in the require format for Amazon Web Services from the Digicert Certificate Utility:
Now that you have your SSL Certificate key pair ready to go you can now export that certificate into the required pem format that AWS wants.
- Run the Digicert Certificate Utility by Double-clicking the DigicertUtil.exe.
- In the Digicert Certificate Utility, Click SSL.
- Select the SSL Certificate that you want to export and then click Export Certificate.
- In the Certificate Export wizard, select Yes, export the private key.
- Select Key file (Apache compatible format).
- Click Next.
- By default the exported file will be saved to your desktop. otherwise click the … and specify the file name and path you would like to save your file.
- Click Finish.
- You will see at least two files put into the location, name and path you specified to save your exported Apache compatible files.
- name.key: This is your private key file.
- name.crt: This is your SSL Certificate.
- CACert.crt: Any CA intermediate chain trust certificates that went along with your SSL Certificate during its export is put into this file.
- Congrats you know have pem x509 apache format certificates. With your two – three files you can re-name the or change the extensions of the files as you see fit. Opening the files in notepad will give you a copy paste method to import the certificate into hosting environments or other applicable systems. If you have a system that needs pem simply change the .crt extension of the files by renaming them to .pem. Typically you will leave you.key file as if.
Congrats you have exported your SSL Certificate in pem/x509 format and is ready for you to distribute.
You need to upload the certificate files (your_domain_com.key, your_domain_com.crt, and CA.crt) to your AWS account.
Importing your SSL Certificate into Amazon AWS:
The following example shows how to reimport a certificate using the AWS Management Console.
- Open the ACM console at http://console.aws.amazon.com/acm/home.
- Click Services
- Under Security Identity & Compliance, click Certificate Manager.
- Click Import a Certificate.
- On the Import a certificate pane perform the following:
- For Certificate body, paste the PEM-encoded end-entity certificate. Your name.crt is your SSL Certificate.
- For Certificate private key, paste the unencrypted PEM-encoded private key. Your name.key is your private key file.
- For Certificate chain, paste the PEM-encoded certificate chain. Your CACert.crt is your CA chain file.
- Choose Review and import.
- Review the information about your certificate. If there are no errors, choose Reimport.
Congrats your SSL Certificate has been imported into your Amazon cloud and will be ready to bind it to what ever https service you require within your Amazon Cloud.
Replacing an SSL Certificate for your Classic Load Balancer:
- Open the Amazon EC2.
- On the navigation pane, under LOAD BALANCING, choose Load Balancers.
- Select your load balancer.
- On the Listeners tab, for SSL Certificate, choose Change.
- On the Select Certificate page, select Choose an existing certificate from AWS Certificate Manager (ACM), select the certificate from Certificate, and then choose Save.
Congrats your SSL Certificate is bound within an active listener on your Amazon Cloud system.
If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.
Amazon Support:
For more information refer to Amazon.