         | Did this page help you? Yes No Tell us about it... |
Creating and Uploading Server Certificates
Topics
This section describes the process of generating a digital certificate and preparing it to use with AWS products through IAM. The following table shows the tasks involved in this process in order that you need to complete them. Following the table, you'll find detailed instructions for each task.
Tasks for Creating and Uploading Server Certificates
| 1 | Install and Configure OpenSSL |
| 2 | Create a Private Key |
| 3 | Create a Certificate Signing Request |
| 4 | Submit CSR to Certificate Authority |
| 5 | Upload the Signed Certificate |
| 6 | Verify the Certificate Object |
Install and Configure OpenSSL
To upload certificates on IAM, you can use the IAM command line interface (IAM CLI). For more information about installing the IAM command line toolkit, refer to Getting the Command Line Tools in the AWS IAM Command Line Reference.
Creating and uploading server certificates requires a tool that supports the SSL and TLS protocols. OpenSSL is an open-source tool that provides the basic cryptographic functions necessary to create an RSA token and sign it with your private key.
The following procedure assumes that your computer does not already have OpenSSL installed.
To install OpenSSL
Get the package from www.ssl.org:
On Linux and UNIX:
Go to OpenSSL: Source, Tarballs (http://www.openssl.org/source/).
Download the latest source.
Build the package.
On Windows:
Go to OpenSSL: Binary Distributions (http://www.openssl.org/related/binaries.html).
Click OpenSSL for Windows.
A new page displays with links to the Windows downloads.
If not already installed on your system, select the Microsoft Visual C++ 2008 Redistributables link appropriate for your environment and click Download. Follow the instructions provided by the Microsoft Visual C++ 2008 Redistributable Setup Wizard.
After you have installed the Microsoft Visual C++ 2008 Redistributables, select the appropriate version of the OpenSSL binaries for your environment and save the file locally. The OpenSSL Setup Wizard launches.
Follow the instructions described in the OpenSSL Setup Wizard. Save the OpenSSL binaries to a folder in your working directory.
You must create an environment variable that points to the OpenSSL install point.
To set the OpenSSL_HOME variable
Enter the path to the OpenSSL installation:
On Linux and UNIX computers, enter the following command:
& export OpenSSL_HOME=
path_to_your_OpenSSL_installationOn Windows computers, enter the following command:
c:\ set OpenSSL_HOME=
path_to_your_OpenSSL_installation
You must add the path to the OpenSSL binaries to your computer's path variable.
Create a Private Key
You need a unique private key to create your Certificate Signing Request (CSR). You must have administrator rights to perform this task.
To create a private key
Use the
genrsacommand to create a key:On Linux and UNIX computers, enter the following command:
& openssl genrsa 1024 >
private-key.pemOn Windows computers, enter the following command:
c:\ openssl genrsa 1024 >
private-key.pem
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png)
Note AWS supports 1024-, 2048-, and 4096-bit encryption.
Create a Certificate Signing Request
A Certificate Signing Request (CSR) is a file sent to a Certificate Authority (CA) to apply for a digital identity certificate. You must have administrator rights to perform this task.
To create a CSR
Use the
reqcommand to create a CSR:On Linux and UNIX computers, enter the following command:
& openssl req -new -key
private-key.pem-outcsr.pemOn Windows computers, enter the following command:
c:\ openssl req -new -key
private-key.pem-outcsr.pem
The output will look similar to the following example:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
The following table can help you create your certificate request.
| Name | Description | Example |
|---|---|---|
| Country Name | The two-letter ISO abbreviation for your country. | US = United States |
| State or Province | The name of the state or province where your organization is located. This name cannot be abbreviated. | Washington |
| Locality Name | The name of the city where your organization is located. | Seattle |
| Organization Name | The full legal name of your organization. Do not abbreviate your organization name. | Example Corp. |
| Organizational Unit | Optional, for additional organization information. | Marketing |
| Common Name | The fully qualified domain name for your CNAME. You will receive a certificate name check warning if this is not an exact match. | www.yourdomain.com |
| Email address | The server administrator's email address | someone@yourdomain.com |
| Note |
|---|---|
The Common Name field is often misunderstood and is completed incorrectly. The common name is typically your host plus domain name. It will look like "www.company.com" or "company.com". You need to create a CSR using your correct common name. |
Submit the CSR to Certificate Authority
Your CSR contains information identifying you. To apply for a digital certificate, send your CSR to a Certificate Authority (CA). The CA might require other credentials or proofs of identity.
If the request for a certificate is successful, the CA returns an identity certificate (and possibly a chain certificate) that is digitally signed.
AWS does not recommend any one CA. For information on currently available CAs, go to Third-Party Certificate Authorities.
Upload the Signed Certificate
When you receive your digitally signed certificate, you can upload it on IAM to use with other AWS products.
Your digitally signed certificate can include a chain certificate. A chain certificate
contains a list of certificates used to authenticate an entity. If your signed
certificate does not include a chain certificate, omit the -c
parameter.
To upload a signed certificate
Use the
iam-servercertuploadcommand to upload a signed certificate:On Linux and UNIX computers, enter the following command:
& ./iam-servercertupload -b
public_key_certificate_file-ccertificate_chain_file-k privatekey.pem -scertificate_object_nameOn Windows computers, enter the following command:
c:\ iam-servercertupload -b
public_key_certificate_file-ccertificate_chain_file-k privatekey.pem -scertificate_object_name
Verify the Certificate Object
After the digitally signed certificate is uploaded, you can verify that the information is stored in IAM. Each certificate object has a unique Amazon Resource Name (ARN) and GUID. You can request these details for a specific certificate object by referencing the name of the certificate object.
To view the certificate object's ARN and GUID
Use the
iam-servercertgetattributescommand to verify the certificate object:On Linux and UNIX computers, enter the following command:
& ./iam-servercertgetattributes -s
certificate_object_nameOn Windows computers, enter the following command:
c:\ iam-servercertgetattributes -s
certificate_object_name
The output will look similar to the following example.
arn:aws:iam::
Your_AWS_Account_ID:server-certificate/Your_Certificate_Object_NameCertificate_Object_GUID
You have now completed the process for creating and uploading signed certificates. For information about setting up a load balancer using Amazon ELB's HTTPS support, see the command line interface (CLI) examples in the How to Set Up a LoadBalancer with HTTPS Support section of the Amazon Elastic Load Balancing Developer Guide.
