Blog

  • Setting up a classic AWS EC2 Load Balancer for SSL termination

    Setting up a classic AWS EC2 Load Balancer for SSL termination

    Setting up an AWS EC2 Load Balancer for SSL termination is pretty straight forward once you have all required information at hand.

    In this example we will be setting up a classic AWS EC2 Load Balancer for SSL termination.

    Before we start configuring the load balancer make sure you have the following required assets at hand:

    1. Server SSL private key
    2. Server SSL certificate
    3. Server SSL certificate chain (if required by your SSL setup)
    4. AWS CLI working
      1. Access to IAM via CLI
      2. AWS Access Key ID
      3. AWS Secret Access Key
    5. Access to the AWS Management Console to setup classic EC2 Load Balancer
    6. Optional: a cup of coffee or tea 😉

    We will now go through all the steps required to get your EC2 Load Balancer for SSL termination up and running in no time.

    Converting SSL certificates to PEM format

    First and foremost, your Server SSL private key and your Server SSL certificate are required to be in PEM format.

    If this is not the case use the following commands to convert your private key and certificate to PEM format:

    Convert SSL private key to PEM format

    openssl rsa -in server-key.key -text > server-key.pem

    Convert SSL certificate to PEM format

    openssl x509 -inform PEM -in server-certificate.crt > server-certificate.pem

    Setup AWS CLI

    In order to set up AWS CLI you may use the bundle provided by Amazon or install the requirements manually.

    After the installation you will need to setup your AWS CLI credentials.

    Make sure that the Policy IAMFullAccess is set for the target AWS CLI user:

    Then, setup AWS CLI credentials using the following command:

    aws configure

    You will be prompted to enter your

    1. AWS Access Key ID

    2. AWS Secret Access Key

    Once this is completed you can continue by installing your SSL certificate in AWS using AWS CLI and AWS IAM.

    Installing SSL certificates in AWS IAM

    Once you have AWS CLI working with your credentials it’s time to upload your SSL certificate together with the private key and optionally the certificate chain to AWS IAM:

    Upload SSL certificate to AWS IAM

    aws iam upload-server-certificate \
    --server-certificate-name your-certificate-name \
    --certificate-body file://server-certificate.pem \
    --private-key file://server-key.pem

    AWS CLI should respond with an appropriate success message, like so:

    {
        "ServerCertificateMetadata": {
            "ServerCertificateId": "SOMEHASHVALUE", 
            "ServerCertificateName": "your-certificate-name", 
            "Expiration": "2018-09-14T23:59:59Z", 
            "Path": "/", 
            "Arn": "arn:aws:iam::SOME_NUMBER:server-certificate/your-certificate-name", 
            "UploadDate": "2017-09-15T09:40:52.183Z"
        }
    }

    You will now be able to select your SSL certificate when creating your EC2 Load Balancer.

    Setup classic AWS EC2 Load Balancer for SSL termination

    Now that everything is prepared we are able to actually create the classic EC2 Load Balancer for SSL termination.

    Open up the AWS Management Console and create a classic EC2 Load Balancer by selecting the Previous Generation Class Load Balancer:

    Then you will be guided to the setup steps for your EC2 classic Load Balancer:

    Step 1: Basic Configuration

    Step 2: Security Groups

    Step 3: Certificate and Cipher Settings

    Step 4: Health Check

    Step 5: Adding EC2 instances

    Step 6: Add Tags

    Step 7: Review and Start EC2 Load Balancer

    If everything went OK you should be able to access the newly created Load Balancer using https://www.your-server.com now.

    Check your SSL setup

    Make sure to check your SSL setup using external services such as SSLLabs:

    https://www.ssllabs.com/ssltest/analyze.html?d=www.your-server.com