Hey I'm Lee. My blog was put up to house my strange thoughts, ramblings, nuggets of information I can refer back to and document my learning curves on new dev stuff and fitness regimes.

All thoughts and comments on here are my own, and in no way reflect my employer - I also take no responsibility for spelling, grammar, terminology, accuracy of facts etc... So read at your own risk!

Creating SSL Certificate Using GeoTrust & OpenSSL For EC2 ELB

Firstly you need to create a Certificate Signing Request (CSR) file which the SSL provider will require to enable you to make the actual SSL order and also generate a private key which you have to use along with the certificate when installing them on a load balancer either through the EC2 console or the Ylastic console (Ylastic is what we use, much easier to administrate).

To start… Make sure you have OpenSSL installed and the binaries are installed into the OpenSSL directory and not in the windows directory (You will be asked this on the install)


To use OpenSSL and you need to 'CD' into the 'OpenSSL\bin' directory wherever you installed it - I usually install it in the root of the C: drive so my path is usually 'C:\OpenSSL\bin'

1. Generate CSR & Private Key

Use OpenSSL to generate the Certificate Signing Request (CSR) using the following command. Note: If you don't use the -keyout option, the private key will not be written to a file for you to use later. The path 'C:\Certs\Websitename\' can be changed to wherever you are going to save everything (Make sure you keep it all in one place)

openssl req -nodes -newkey rsa:2048 -keyout C:\Certs\Websitename\private.key -out C:\Certs\Websitename\server.csr

You will be prompted for some information, here is some help we usually add to help you:

countryName = GB
stateOrProvinceName = Bedfordshire
localityName = Bedford
organizationName = Company Name
organizationalUnitName = IT
commonName = www. FULL-DOMAIN- THAT-SSL-IS-NEEDED-FOR.co.uk

And also a password, be sure you save this password or use one that you won't forget.

2. Buy Your SSL Cert

We use GeoTrust for our SSL's but you can use any provider you wish, so go to GeoTrust and purchase a Quick SSL Premium


Follow the on screen prompts and use the contents of the CSR file when asked for it (Just open it in Notepad and copy and paste the contents) and they will email back the cert and other information once payment has been made and you authorise it via email (Other suppliers might have different hoops to jump through)

3. Save Your X509 (.CRT) Certificate (SSL Cert)

Once done you'll receive the certificate back from GeoTrust hopefully in an CRT file (X509), if not follow the instructions on the GeoTrust site and you can download the cert in a X509 format.


4. Convert Private Key

Before we can jump into EC2/Ylastic and just copy and paste our private key and certs into the textboxes, we need to Convert Private Key generated in OpenSSL to a format EC2 understands - This is again very easy and you do it using OpenSSL using the command below:

openssl rsa -in C:\Certs\Websitename\private.key -out C:\Certs\Websitename\out-private-key.key

Now we are ready to add the cert, either open up your EC2 console and start to create a load balancer or open Ylastic and go to IAM section and click on certs.

5. Add SSL To EC2 ELB

Place the contents of the "out-private-key.key" into the console box labelled Private Key - Then place the contents of the signed certificate file you got from GeoTrust (.CRT or X509) in the box labelled Public Key Certificate.


Along with your signed certificate from your SSL supplier, you may also receive a CA-Bundle file that contains several certificates, one after another. You can place the contents of this file into the box labelled Certificate Chain (I think this only applies when using Ylastic)

Back to top