SSL Certificate Stuff

While mucking with creating an SSL enabled, load balanced, Bedrock stack I needed to create my own certificate and upload it to AWS.



Note: I'm using the new CLI tools so you need to make sure you have created the configuration file if it does not exist at ~/.awscfg.

Try this if you need to reconfigure - have your IAM credentials handy:

$ aws configure

Assuming you have OpenSSL installed...create a certificate:

$ openssl genrsa 2048 > test-site.pem

Now sign the certificate.

$ openssl req -new -x509 -key test-site.pem -out cacert.pem -days 1095
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Pennsylvania
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Upload certificate to AWS:

$ cat upload-cert.sh
#!/bin/bash

AWS_PATH=/home/rlauer/.local/lib/aws/bin
$AWS_PATH/aws iam upload-server-certificate \
  --server-certificate-name $1 --certificate-body file://$2 \
  --private-key file://$3

$ ./upload-cert.sh TEST-CERT cacert.pem test-site.pem
{
    "ServerCertificateMetadata": {
        "Path": "/",
        "Arn": "arn:aws:iam::106518701080:server-certificate/TEST-CERT",
        "ServerCertificateId": "ASCAIPHEN4D2N5JGM6INW",
        "ServerCertificateName": "TEST-CERT",
        "UploadDate": "2013-11-17T17:54:30.329Z"
    }
}

Okay, so now we have a test certificate we can use for testing SSL access to a site.  You'll get warnings in the browser regarding this certificate, but proceed for testing.

If they key was inadvertently created with a passphrase, AWS will not let you upload the key.

Remove the passphrase from key.

$ openssl rsa -in with-passphrase.key -out no-passphrase.key

Here's a snippet for creating an HTTP/HTTPS load balancer using the AWS::ElasticLoadBalancing::LoadBalancer type.

"ElasticLoadBalancer" : {

    "Type" : "AWS::ElasticLoadBalancing::LoadBalancer",
    "Metadata" : {
"Comment" : "Configure the Load Balancer with a simple health check and cookie-based stickiness"
    },
    "Properties" : {
"AvailabilityZones" : { "Fn::GetAZs" : "" },
"AppCookieStickinessPolicy" : [ {
   "CookieName" : "session",
   "PolicyName" : "CookieSessionPolicy"
} ],
"Listeners" : [ 
   {
"LoadBalancerPort" : "80",
"InstancePort" : "80",
"Protocol" : "HTTP",
"PolicyNames" : [ "CookieSessionPolicy" ]
   },
   {
"LoadBalancerPort" : 443,
"InstancePort" : 80,
"Protocol" : "HTTPS",
"PolicyNames" : [ "CookieSessionPolicy"],
"SSLCertificateId" : "arn:aws:iam::106518701080:server-certificate/FAKE"
   }
],
"HealthCheck" : {
   "Target" : "HTTP:80/",
   "HealthyThreshold" : "2",
   "UnhealthyThreshold" : "5",
   "Interval" : "10",
   "Timeout" : "5"
}
    }
}