I created an SSL Certificate using AWS Certificate manager to use on our EB Load Balancer.
We have a device that needs the public certificate to communicate over HTTPS. I know AWS holds the private key, is it possible to download the public key?
The AWS ACM does not provide an API to download the public key of an ACM SSL certificate.
However, once you have your ACM certificate setup on an ELB or CloudFront, the public key will be served when you connect to it via HTTPS. From there, you may be able to save the public key.
Try using OpenSSL to get and save the key:
openssl s_client -connect the.host.name:443 | openssl x509 -pubkey -noout
Source: https://security.stackexchange.com/questions/16085/how-to-get-public-key-of-a-secure-webpage
Related
I'm trying to run Jupyterhub (TLJH) in AWS EC2 using the steps provided here. The setup works over http. However, I run into trouble when I try to map a subdomain and simultaneously use a SSL certificate and key from AWS Certificate Manager.
The steps outlined in this link describes how to encrypt if we use lets encrypt, or if we can download the SSL key and certificate. Unfortunately, its not simple to download the SSL certificate from AWS Certificate Manager.
So, my question is, how to use the AWS Certificate Manager that has certificate for a subdomain to encrypt traffic and connect to the jupyterhub.
For some reason, the drop-down select for the certificate is not showing when I go to add it to the HTTPS listener for my EC2 instance.
In the ACM, it is "Issued", so I don't see why it shouldn't show up.
HTTPS Listener
Here's the ACM console, shows my certificate is issued
Based on the comments.
The reason for not being able to use imported SSL cert into ACM on ALB, is because its too long. The import cert is RSA 4096-bit, however, ALB (and other AWS services) are compatible with 2048-bit RSA (RSA_2048) or 1024-bit RSA (RSA_1024) as explained in:
Why can't I find my imported certificate for my load balancer or CloudFront distribution?
The certificate imported into ACM is using an algorithm other that 1024-bit RSA or 2048-bit RSA.
The possible solution is to use IAM for these certificates:
ACM supports RSA certificates with a 4096 key length and EC certificates. However, you cannot install these certificates on your load balancer through integration with ACM. You must upload these certificates to IAM in order to use them with your load balancer.
I have created an SSL cert via DigiCert and imported to ACM. (I require the same SSL to be applied to both ALB and the Application, and since there's no way to import ACM certs, I had to follow this way)
I have successfully imported the SSL and can see it in the console. However, I cannot apply it to ALB 443 Listener.
I provided the Cert ARN to the CloudFormation template and it fails stating certificate don't exist.
I have tried to manually update the 443 Listener, but the cert is not listed
Since both failed, I have tried to import the cert in the ALB Listener console, but got the below error message. (However, certificate gets imported and I can see it in the console)
Updating listener failed. The imported certificate's configuration is
not compatible and will not appear in the list of available
certificates for your listeners. Select or upload a different
certificate and try again.
There is a Limitation of updating HTTPS Listener for Your Application Load Balancer.
ACM supports RSA certificates with a 4096 key length and EC certificates.
However, you cannot install these certificates on your load balancer through integration with ACM.
The solution is to try uploading these certificates to IAM in order to use them with your load balancer.
This should help.
Did you check whether the SSL cert key algorithm is supported by the Application Load Balancer? These are the supported Algorithms:
Source:https://aws.amazon.com/premiumsupport/knowledge-center/elb-ssl-tls-certificate-https/
You can check the Key sizes using these commands:
$ openssl rsa -in secret.key -text -noout | grep "Private-Key"
Private-Key: (2048 bit)
$ openssl x509 -in certificate.crt -text -noout | grep "Public-Key"
RSA Public-Key: (2048 bit)
As mentioned by #aress-support, you can use IAM to import the certificate.
https://aws.amazon.com/premiumsupport/knowledge-center/import-ssl-certificate-to-iam/
This is an application without a load balancer - a single instance. I found and understood the documentation on how to get this done when using Tomcat, as I'm doing. The crux of the problem is that the explanations refer to the private and public keys of the certificate which should be used. Where are the AWS issued certificate private and public keys stored? This is what I've discovered so far:
I've gone through all the documentation and now have to create some conf files in .ebextenstions. No problems there. However, I have to supply both the private and public keys. In the example code, the private key is server.key and the public one server.crt.
I have found cert.pem in /etc/pki/tls and both ca-bundle.crt and ca-bundle.trust.crt in /etc/pki/tls/certs. Are these the keys of the certificate I requested from AWS? Is cert.pem the private key? I've looked at all with Nano and am not too sure. What's the deal with the other two files?
According to the documentation, one should load the private key to S3. If cert.pem is the private key, how do I do that from the command line once logged in and should I save that as server.key?
I will appreciate any help.
SSL certificates have three components: the certificate (publicn unique to your site), the chain (public, establishes the traceable chain of trust, common to many or all certs from the same certificate authority, and the key (private/secret).
A server cannot use a certificate without the key. Amazon Certificate Manager does not expose the key to you -- only the certificate and the chain -- so, for this reason, it is not possible to use public ACM certificates without also using either a load balancer or CloudFront.
When an ACM cert is used with a load balancer or CloudFront, the private key is provided to the balancer or the ClouldFront front-ends from ACM over internal channels.
We are using cloudfront to serve images with a custom domain.
http://images.example.com/fubar.png
We want to be able to access them with SSL, eg https://images.example.com/fubar.png
We have a wildcard SSL certificate (issued from Godaddy) for *.example.com and I used the AWS Certificate Manager to upload the certificate, private key, and keychain. The upload appears to have been successful as *.example.com appears to be issued (according to the Certificate Manager).
I'm then following the instructions to Update the CloudFront Distribution and I added images.example.com, selected the option for Custom SSL Certificate and made sure Distribution State was enabled. When I click the Yes, Edit button I get the following error:
com.amazonaws.services.cloudfront.model.InvalidViewerCertificateException: The specified SSL certificate doesn't exist, isn't in us-east-1 region, isn't valid, or doesn't include a valid certificate chain. (Service: AmazonCloudFront; Status Code: 400; Error Code: InvalidViewerCertificate; Request ID: a62cf849-d495-11e7-94d9-673e2e2905b1)
I've used this SSL certificate elsewhere with success. If it helps, I originally created this cert using a Windows machine to make the request and then downloaded the cert from Godaddy. I don't have access to this download anymore, but I do have access to a PFX file on a Windows Server. I took this PFX file (which has the private key) (named SSLWildcard.pfx) and used OpenSSL to get the certificate and private key. I used the following commands:
openssl pkcs12 -in SSLWildcard.pfx -nocerts -out SSLWildcard.key
openssl rsa -in SSLWildcard.key -out SSLWildcard-decrypted.key
openssl pkcs12 -in SSLWildcard.pfx -clcerts -nokeys -out SSLWildcard.crt
I used the contents of the CRT and KEY files (I used the decrypted key file) and GoDaddy's public certificate chain file gd_bundle-g2-g1.crt. I've tried using various certs (and combinations) from GoDaddy's public repository but I'm kind of just guessing. Any ideas as to what I'm doing wrong?
The error message has one clue: When using a cert for cloudfront, it must be in us-east-1.
You don't mention what region you uploaded the cert to, but if you're deploying to cloudfront make sure it's in us-east-1.
If the certificate is in us-east-1, there is one other clue:
Error Code: InvalidViewerCertificate
If you are using an S3 bucket configured for public web hosting, you cannot communicate between cloudfront and s3 over https - it must be http. See here for details.