Pre Requisites

You would need these three items:

  1. The actual Server certificate (.crt file)
  2. Private key (.crt file)
  3. CA bundle (contains intermediate certificates and the root certificate). This chain of certificates (in the bundle), improves the compatibility between certificates used in browsers.

Step 1 – The first step would be to convert 1 and 2 to a PEM format. PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate.

Why?

We need this conversion of certificates and keys to different formats to make them compatible with specific types of servers or software. For example, you can convert a normal PEM file that would work with Apache to a PFX (PKCS#12) file and use it with Tomcat or IIS.

  • openssl x509 -inform der -in certificate.cer -out certificate.pem

Note:  you can also you an online converter instead of openssl

SSL Converter to convert certificates without messing with OpenSSL.

On AWS, perform the following steps in sequence:

  • From your Console (Network) , select the option called ‘Load Balancers.’
  • Coming to the main pane, only choose and select on the ‘Load Balancers’ icon when you upload the certificate.
  • Click on the ‘listeners’ tab. Click on ‘Edit’ and then ‘Add’
  • Select HTTPS as protocol under SSL certificate and click ‘Change’ in the ‘SSL Certificate’ column.
  • Click the radio button called ‘Upload a new SSL certificate to AWS Identity and Access Management (IAM).
  • You may wish to rename your certificate. Renaming it by a name that you are likely to remember in the future can result in a lot less hassle for you.
  • For the Private Key field, simply paste the text from your file. This should include the “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“
  • For the Public Key Certificate field, simply paste the text from your file. You must include the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“
  • For the ‘Certificate Chain’ field, simply paste the text from your ‘CA_bundle.crt’ or file equivalent. In every case, you should have a total of three certificates in CA-bundle in this text field. You must include the “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“ lines here as well.
  • Click on the blue-colored Save button to finalize your SSL install.

Summary

That’s it – just have to convert to a .pem format as a pre-requisite to installing an SSL cert on an EC2 instance.

Appendix – DER vs PEM vs X.509  – Encodings for X.509 certificates (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.