How to Update the SSL Certificate of an AWS Elastic Load Balancer
The AWS Elastic Load Balancer functions as a gateway for all the traffic to your data servers. The SSL, additionally, is used to encrypt data in transit. In order to keep your data safe, it’s not enough just to encrypt data in transit. There are more considerations that need to be made to keep your Amazon environments safe. For now, let’s discuss how to update the SSL Certificate of an AWS ELB. At the end of this post, I will circle back to the security issues that need to be taken into consideration.
Updating Your SSL Certificate
AWS Elastic Load Balancers support HTTP, HTTPS (Secure HTTP), TCP and SSL (Secure TCP) protocols. To support HTTPS, the AWS ELB requires a CA authenticated SSL certificate. If you are using HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your Load Balancer. The SSL certificate has to be updated periodically. This guide shows you how to update and attach an SSL certificate to your HTTPS/SSL ELB.
You can upload the SSL certificate through the AWS console, the Command Line Interface or Query APIs. Learn how to create an SSL certificate.
Check the following SSL prerequisites you need to validate:
- All your SSL server certificates are managed by AWS Identity and Access Management (IAM). By default, IAM allows up to 10 server certificates per AWS account.
- Certificates must follow the X.509 PEM format.
- Today’s date must be between the certificate’s start and end date.
- Public and private certificate files must contain only a single certificate.
- The private key must match the public key that is in the digital server certificate.
- The private key must be an RSA private key in PEM format, where the PEM header is —BEGIN RSA PRIVATE KEY— and the footer is —END RSA PRIVATE KEY—.
- The private key cannot be encrypted with a password.
- A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
If your certificate meets the above criteria, follow the next steps to upload a new certificate.
1. Click on the tab “Listener”. The ELB is currently configured to listen on HTTP and HTTPS protocol.
2. Click “Change” in the SSL Certificate column. Provide your new certificate name, private key (PEM-encoded) and CA authenticated SSL certificate content (PEM-encoded) .
3. The Elastic Load Balancer will validate the certificate based on the criteria explained earlier. If it is a valid key and certificate, it will be added to the existing SSL certificates, otherwise you will get an error.
4. Once the new uploaded SSL is selected, it will be updated with the ELB.
5. To remove the certificate or modify the protocol, click “Remove” or edit listeners from an ELB.
6. To upload a new certificate and attach it to the listener using command line tools, follow the steps below.
7. First set the AWS ELB CLI.
8. Set the AWS Region with the command:
9. Run the following command to add an SSL certificate:
iam-servercertupload -b <CA authenticated SSL>-k <Private Key file in PEM format> -s <Name of Certificate> -c <Certificate Chain File>–v
10. The command above will add the new SSL certificate to AWS. It will also give the ARN name of the certificate. Get the ARN name and use it to attach to the ELB.
elb-create-lb-listeners ELBConfigureSSL --listener "protocol=HTTPS,lb-port=443,instance-port=80,instance-protocol=HTTP, cert-id=<ARN Name of Certificate>"
11. To delete any certificate, run the command:
iam-servercertdel -s <Certificate name>
12. To list the available SSL certificates with AWS, run the command:
13. The actual output of each command is shown below.
For Cloud Operators
When data transmit to your environment, it’s vital to ensure your intances’ safety. Is your cloud firewall closed? How vulnerable is your ELB? Is it blocked to untrusted traffic sources? Are your security groups at risk of breach? Datapipe Cloud Reports scans and identifies the status of your security group configurations, continuously monitoring their status, and alerting you to vulnerabilities. The Cloud Reports service ensures operational efficiency to build and manage a cloud that easily scales with your business. It gives you the insights you need to better see, understand, assess and respond to vulnerabilities and security issues. Continuous monitoring enables you to:
- Triage urgent cloud risks
- Diagnose cost, risk, and governance issues
- Track cloud cost and asset vitals
Datapipe Cloud Reports actively prioritizes significant risk to cloud health based on its severity.
Keywords: Amazon web services, Amazon AWS console, AWS S3, Amazon Cloud Services, AWS Management Console, AWS ELB, Elastic Load Balancer, CLI, Command Line Tools, AWS API, SSL Certificate, Security, HTTPS,