Setting up a classic AWS EC2 Load Balancer for SSL termination

Amazon AWS Logo

Setting up an AWS EC2 Load Balancer for SSL termination is pretty straight forward once you have all required information at hand.

In this example we will be setting up a classic AWS EC2 Load Balancer for SSL termination.

Before we start configuring the load balancer make sure you have the following required assets at hand:

  1. Server SSL private key
  2. Server SSL certificate
  3. Server SSL certificate chain (if required by your SSL setup)
  4. AWS CLI working
    1. Access to IAM via CLI
    2. AWS Access Key ID
    3. AWS Secret Access Key
  5. Access to the AWS Management Console to setup classic EC2 Load Balancer
  6. Optional: a cup of coffee or tea 😉

We will now go through all the steps required to get your EC2 Load Balancer for SSL termination up and running in no time.

Converting SSL certificates to PEM format

First and foremost, your Server SSL private key and your Server SSL certificate are required to be in PEM format.

If this is not the case use the following commands to convert your private key and certificate to PEM format:

Convert SSL private key to PEM format

openssl rsa -in server-key.key -text > server-key.pem

Convert SSL certificate to PEM format

openssl x509 -inform PEM -in server-certificate.crt > server-certificate.pem

Setup AWS CLI

In order to set up AWS CLI you may use the bundle provided by Amazon or install the requirements manually.

After the installation you will need to setup your AWS CLI credentials.

Make sure that the Policy IAMFullAccess is set for the target AWS CLI user:

Then, setup AWS CLI credentials using the following command:

aws configure

You will be prompted to enter your

  1. AWS Access Key ID

  2. AWS Secret Access Key

Once this is completed you can continue by installing your SSL certificate in AWS using AWS CLI and AWS IAM.

Installing SSL certificates in AWS IAM

Once you have AWS CLI working with your credentials it’s time to upload your SSL certificate together with the private key and optionally the certificate chain to AWS IAM:

Upload SSL certificate to AWS IAM

aws iam upload-server-certificate \
--server-certificate-name your-certificate-name \
--certificate-body file://server-certificate.pem \
--private-key file://server-key.pem

AWS CLI should respond with an appropriate success message, like so:

{
    "ServerCertificateMetadata": {
        "ServerCertificateId": "SOMEHASHVALUE", 
        "ServerCertificateName": "your-certificate-name", 
        "Expiration": "2018-09-14T23:59:59Z", 
        "Path": "/", 
        "Arn": "arn:aws:iam::SOME_NUMBER:server-certificate/your-certificate-name", 
        "UploadDate": "2017-09-15T09:40:52.183Z"
    }
}

You will now be able to select your SSL certificate when creating your EC2 Load Balancer.

Setup classic AWS EC2 Load Balancer for SSL termination

Now that everything is prepared we are able to actually create the classic EC2 Load Balancer for SSL termination.

Open up the AWS Management Console and create a classic EC2 Load Balancer by selecting the Previous Generation Class Load Balancer:

Then you will be guided to the setup steps for your EC2 classic Load Balancer:

Step 1: Basic Configuration

Step 2: Security Groups

Step 3: Certificate and Cipher Settings

Step 4: Health Check

Step 5: Adding EC2 instances

Step 6: Add Tags

Step 7: Review and Start EC2 Load Balancer

If everything went OK you should be able to access the newly created Load Balancer using https://www.your-server.com now.

Check your SSL setup

Make sure to check your SSL setup using external services such as SSLLabs:

https://www.ssllabs.com/ssltest/analyze.html?d=www.your-server.com

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.