Firstly you need to create a Certificate Signing Request (CSR)
file which the SSL provider will require to enable you to make the
actual SSL order and also generate a private key which you have to
use along with the certificate when installing them on a load
balancer either through the EC2 console or the Ylastic console
(Ylastic is what we use, much easier to administrate).
To start… Make sure you have OpenSSL installed and the binaries
are installed into the OpenSSL directory and not in the windows
directory (You will be asked this on the install)
http://www.slproweb.com/products/Win32OpenSSL.html
To use OpenSSL and you need to 'CD' into the 'OpenSSL\bin'
directory wherever you installed it - I usually install it in the
root of the C: drive so my path is usually 'C:\OpenSSL\bin'
1. Generate CSR & Private Key
Use OpenSSL to generate the Certificate Signing Request (CSR)
using the following command. Note: If you don't use the -keyout
option, the private key will not be written to a file for you to
use later. The path 'C:\Certs\Websitename\' can be changed to
wherever you are going to save everything (Make sure you keep it
all in one place)
openssl req -nodes -newkey rsa:2048 -keyout
C:\Certs\Websitename\private.key -out
C:\Certs\Websitename\server.csr
You will be prompted for some information, here is some help we
usually add to help you:
countryName = GB
stateOrProvinceName = Bedfordshire
localityName = Bedford
organizationName = Company Name
organizationalUnitName = IT
commonName = www. FULL-DOMAIN- THAT-SSL-IS-NEEDED-FOR.co.uk
And also a password, be sure you save this password or use one
that you won't forget.
2. Buy Your SSL Cert
We use GeoTrust for our SSL's but you can use any provider you
wish, so go to GeoTrust and purchase a Quick SSL Premium
http://www.geotrust.com/uk/ssl/ssl-certificates-premium/
Follow the on screen prompts and use the contents of the CSR
file when asked for it (Just open it in Notepad and copy and paste
the contents) and they will email back the cert and other
information once payment has been made and you authorise it via
email (Other suppliers might have different hoops to jump
through)
3. Save Your X509 (.CRT) Certificate (SSL Cert)
Once done you'll receive the certificate back from GeoTrust
hopefully in an CRT file (X509), if not follow the instructions on
the GeoTrust site and you can download the cert in a X509
format.
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15183
4. Convert Private Key
Before we can jump into EC2/Ylastic and just copy and paste our
private key and certs into the textboxes, we need to Convert
Private Key generated in OpenSSL to a format EC2 understands - This
is again very easy and you do it using OpenSSL using the command
below:
openssl rsa -in C:\Certs\Websitename\private.key -out
C:\Certs\Websitename\out-private-key.key
Now we are ready to add the cert, either open up your EC2
console and start to create a load balancer or open Ylastic and go
to IAM section and click on certs.
5. Add SSL To EC2 ELB
Place the contents of the "out-private-key.key" into the console
box labelled Private Key - Then place the contents of the signed
certificate file you got from GeoTrust (.CRT or X509) in the box
labelled Public Key Certificate.
Optional:
Along with your signed certificate from your SSL supplier, you
may also receive a CA-Bundle file that contains several
certificates, one after another. You can place the contents of this
file into the box labelled Certificate Chain (I think this only
applies when using Ylastic)