Need Quality Code? Get Silver Backed

SSL, AWS and IIS

13thJan

0

by Gary H

Every thought you produce, anything you say, any action you do, it bears your signature.

Nhat Hanh

Using SSL with some AWS resources such as CloudFront or Elastic Load Balancer can be tricky to setup - particularly if you arrive from a Windows background. In this article we look at how we can take an SSL certificate from IIS and upload it to IAM on AWS to allow it to be used for other services.

Get the Certificate

To get started we need an SSL certificate. Keeping with the theme of this post we will get ours by exporting it from IIS. To do this we need to use IIS Manager, select the root machine and select "Server Certificates".

Select the certificate that you want and select "Export". This will create a PFX file. It's this file which we will bully into the correct shape for AWS.

Convert to PEM

The next step is to convert the PFX file that we have into PEM format for AWS. We will also need to extract the certificate into multiple parts - public and private keys along with the chain of all intermediate certificates if necessary.

openssl pkcs12 -in YOURCERT.pfx -out private.key.1 -nodes -nocerts
openssl pkcs12 -in YOURCERT.pfx -out public.key.1 -nodes -clcerts
openssl pkcs12 -in YOURCERT.pfx -out chain.key.1 -nodes -cacerts

openssl rsa -in private.key.1 -out private.pem
openssl rsa -in public.key.1 -pubout -out public.pem
openssl rsa -in chain.key.1 -out chain.pem

These commands use OpenSSL to translate the PFX file into PEM ready for use. If you don't have it already you can grab OpenSSL for Windows via Shining Light.

Upload to IAM

With the PEM files prepared you need to upload them to AWS. For an SSL certificate to be usable for CloudFront you must upload the certificate to a path beginning with /cloudfront/. We would also recommend that you name your certificate with a Date/Time as well as a useful name.

aws iam upload-server-certificate --server-certificate-name YourNameHere 
    --certificate-body file://public.pem --private-key file://private.pem 
    --certificate-chain file://chain.pem --path /cloudfront/YourNameHere/

The upload can only currently be accomplished on the command line. To get the latest version of the AWS CLI see the CLI homepage. If you experience any issues at this point, check your PEM files. They should look like:

-----BEGIN CERTIFICATE-----
MIIFDzCCA/egAwIBAgIRAPrGzNGoAWurMTg01mF/peQwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCB....
... lots more lines ...
HQO7zJ8CbY1DZl+UsFqePNmO7pQy1hsMtjkqzSRdflZL1gvjPkydgOCPsW4DFtQG
1uMq
-----END CERTIFICATE-----

If they don't you may need to revisit the .key.1 files we produced and lift the certificates directly from them and overwrite the PEM files before uploading again.

If the upload worked your certificates should now be available for use with Distribution Settings on CloudFront or for ELB.

Find this post useful? Follow us on Twitter

AWS , SSL

Comments are Locked for this Post