For future me:
- Create the key and CSR:
$ openssl req -out wildcard.site.com.csr -new -newkey rsa:2048 -nodes -keyout wildcard.site.com.key
- Upload the CSR to your SSL vendor (in this case, DigiCert) and obtain the signed SSL certificate.
- Create a PEM-encoded version of the signing key. This is required for AWS/IAM certs. To check if your key is already PEM-encoded, just “head -1 site.key”. If the first line says “—–BEGIN PRIVATE KEY—–” then it’s NOT PEM-encoded. The first line should be “—–BEGIN RSA PRIVATE KEY—–“.
$ openssl rsa -in wildcard.site.com.key -outform PEM -out wildcard.site.com.pem.key writing RSA key
- Upload the certificate to the IAM keystore:
$ aws iam upload-server-certificate --server-certificate-name star_site_20141014 --certificate-body file:///Users/evan/certs_20141014/site/certs/star_site_com.crt --private-key file:///Users/evan/certs_20141014/wildcard.site.com.pem.key --certificate-chain file:///Users/evan/certs_20141014/site/certs/DigiCertCA.crt { "ServerCertificateMetadata": { "ServerCertificateId": "XXXXXXXXXXXXXXX", "ServerCertificateName": "star_site_20141014", "Expiration": "2017-12-18T12:00:00Z", "Path": "/", "Arn": "arn:aws:iam::9999999999:server-certificate/star_site_20141014", "UploadDate": "2014-10-14T15:29:28.164Z" } }
Once the above steps are complete, you can go into the web console (EC2 -> Load Balancers), select the ELB whose cert you want to change, click the “Listeners” tab, click the SSL port (443) and select the new cert from the dropdown.
Evan Hoffman's Blog 