This is an application without a load balancer - a single instance. I found and understood the documentation on how to get this done when using Tomcat, as I'm doing. The crux of the problem is that the explanations refer to the private and public keys of the certificate which should be used. Where are the AWS issued certificate private and public keys stored? This is what I've discovered so far:
I've gone through all the documentation and now have to create some conf files in .ebextenstions. No problems there. However, I have to supply both the private and public keys. In the example code, the private key is server.key and the public one server.crt.
I have found cert.pem in /etc/pki/tls and both ca-bundle.crt and ca-bundle.trust.crt in /etc/pki/tls/certs. Are these the keys of the certificate I requested from AWS? Is cert.pem the private key? I've looked at all with Nano and am not too sure. What's the deal with the other two files?
According to the documentation, one should load the private key to S3. If cert.pem is the private key, how do I do that from the command line once logged in and should I save that as server.key?
I will appreciate any help.
SSL certificates have three components: the certificate (publicn unique to your site), the chain (public, establishes the traceable chain of trust, common to many or all certs from the same certificate authority, and the key (private/secret).
A server cannot use a certificate without the key. Amazon Certificate Manager does not expose the key to you -- only the certificate and the chain -- so, for this reason, it is not possible to use public ACM certificates without also using either a load balancer or CloudFront.
When an ACM cert is used with a load balancer or CloudFront, the private key is provided to the balancer or the ClouldFront front-ends from ACM over internal channels.
Related
Can anyone help me that I am using load balancer in google cloud platform but here I am not able to properly install ssl. Only certificate chain and private key box is showing not public key box. Why it is happening ? Is I have missed something or glitch from google side ?
**public key => But where to upload this ??
certificate chain => available
private key => available**
Which one is certificate chain in these that google is asking ?
And when checking it is showing grade B due to incomplete chain
As I suspected in the comment section, the issue was with a self-managed certificate (Trust Chain).
When creating a Certificate in GCP you can use Google-Managed and Self-Managed certificates.
In this setup OP used GoDaddy Certificate and validated it on ssllabs. One of the issues was
This server's certificate chain is incomplete. Grade capped to B.
More details can be found in this article - How Certificate Chains Work
A certificate chain is an ordered list of certificates, containing an SSL/TLS Certificate and Certificate Authority (CA) Certificates, that enable the receiver to verify that the sender and all CA's are trustworthy.
In Using self-managed SSL certificates - Step 2: Create a self-managed SSL certificate resource guide you can find information that chain certificate needs to be verified by the user:
Paste in your certificate or click Upload to navigate to your certificate file.
You can choose to include the CA certificate chain in the same file as the certificate. Google Cloud does not
validate the certificate chain for you – validation is your responsibility.
There is also information about the trust chain when you are creating a Certificate in GCP via UI, that your trust chain must be correct.
The certificate must be in PEM format and include correct certificate trust chain. The certificate chain must be no greater than 5 certs long.
Solution
Solution to this issue was to merge the certificate chain with OP's certificate.
Useful links
Creating a .pem File for SSL Certificate Installations, especially part Creating a .pem with the Private Key and Entire Trust Chain
How to combine various certificates into single .pem
You don't need to upload the Public Key to the LoadBalancer. Only the certificate and Private Key are needed.
The Public key portion is embedded into the Certificate
Just add main security certificate at the top of certificate chain mostly contains 3 to 4 certificates and add this final certificate in certificate field while creating a certificate. then all things will be corrcted. Thank you enjoy.
I have created a VPN (via an Client VPN Enpoint), which has access to a VPC in AWS - from which I can resolve a private domain from a Private Route 53 hosted zone. (dashboard.internal)
This is all working brilliantly, I can connect to the VPN and access the intranet app via the custom domain name - but now I am looking to add HTTPS to the internal ALB so it plays nice in the browser.
What is the correct procedure to get the certificate valid and trusted by the browser? I created a self signed one, to get the infra working - but the browser is obviously not liking that.
Is it possible to give the .ovpn file I use to connect to the VPN info about this cert?
(Although as this is a prototype the Client VPN bit will probably be chucked in favor of Direct Connenct)
You can get a private certificate using ACM. ACM supports private certificates.
Add a certificate authority (CA) [ACM -> Private CA's]
Request a Private Certificate [ACM -> Request Certificate -> Private Certificate]
Now you can use this certificate with all AWS Services.
Since, you are already using an ALB you can directly attach the private certificate to ALB itself.
We'd like to use ACM to manage our certificates, allowing us to easily create them on the fly for a third-party (using CNAME validation). This works great, except we can't appear to get the private key we'd need to support the certificate via our frontend server, which is hosted by AWS but otherwise managed independently of any other AWS service. (It's essentially an Express server running on an EC2 instance.)
Is it possible to get the key value(s) out of ACM so that we can bootstrap a Node https server using them? Or does Amazon not support this at all?
The private key for an ACM certificate is maintained entirely within the service. There is no support for exporting the private key.
ACM certificates can only be used on specific AWS services. For more information see ACM FAQ and Supported services.
I'm familiar with creating a CSR (via openssl) on a webserver and submitting it to a CA to purchase an SSL cert.
A site we're building (using Elastic Beanstalk) has a requirement that certificates are managed via a HSM. I think AWS CloudHSM is the correct tool to use here? I have:
Created the EB environment in a VPC with public and private subnets
Requested and assigned an SSL cert to the environment via AWS Cert
Manager (at this point, I have a working site over https, just no HSM)
Created a HSM cluster in the same VPC, and downloaded its
CSR.
At this point, the docs (http://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr) leave me a bit stuck.
It says, "Your CA signs the CSR, which creates a signed certificate. Then you provide the signed certificate and your CA's issuing certificate to initialize the cluster."
Fine. Except if I try to upload this CSR to (ie, Verisign, GlobalSign) I get "Certificates with internal names are no longer permitted". Which makes sense - I'm not requesting a cert for a site's external domain name, the cert is for the HSM: which, I'm guessing, I'll then use to create an openssl cert once its CSR has been signed.
Basically, I'm very confused about how a HSM fits into the otherwise simple SSL-requesting procedure of: generate CSR, submit to CA, install cert on webserver. Especially given my added complications of doing this all with Elastic Beanstalk and AWS ACM rather than just dumping a cert file on the server and updating the Nginx conf.
How does it all work ??
Since posting this question a year ago, AWS have updated their documentation on how to set up SSL offload with a CloudHSM. By following that documentation, I was able to set up a separate EC2 instance - outside of ElasticBeanstalk - for SSL termination. It's still not possible, AFAIK, to use a CloudHSM directly from within ElasticBeanstalk.
Current Situation: I host all my files on an AWS EC2 instance but recently I bought a domain name from Network Solutions and pointed that domain name to my ec2 instance. Also, I got an SSL certificate issued from Network Soltuions for that specific domain name.
Question: How do I upload an SSL Certificate to AWS. Now, I know that we can use AWS Certificate Manager or AWS Load Balancers to import an SSL Certificate but it asks me for a Certificate Private Key which I have no idea what it is. I am sure I did not get any private key from Network Solutions. All I have are the 4 .crt files and the certificate chain.
You will need to get the Private key from Network if you want to use the one they provided. Or like others are saying you can provision one for free from ACM and let AWS manage it, through they do not give you the private key.
.CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them
You can use the CLI or the console to import Certificates in ACM
$ aws acm import-certificate --certificate file://Certificate.pem
--certificate-chain file://CertificateChain.pem
--private-key file://PrivateKey.pem
The following example shows how to import a certificate using the AWS Management Console.
Open the ACM console at https://console.aws.amazon.com/acm/home.
Choose Import a certificate.
Do the following:
a. For Certificate body, paste the PEM-encoded certificate to import.
b. For Certificate private key, paste the PEM-encoded, unencrypted
private key that matches the certificate's public key.
c. (Optional) For Certificate chain, paste the PEM-encoded certificate
chain.
Choose Review and import.
Review the information about your certificate, then choose Import.
https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-api-cli.html
Routing SSL traffic to your Domain.
Create an ELB and Assign the Cert to a Listener
Set your Domain name to the ELB.