• Tweet

• Tweet

This is in continuation to Amazon ELB SSL Termination HowTo. Earlier we have seen how to setup Elastic Load Balancer with SSL termination on Amazon. Now we will see how do we change the SSL certification once we renew it or revoke it for some reason.

To enable to change the certificate used by Elastic Load Balancer (ELB) we need to install the ELB and IAM command line tool. To install these tools you need to do as follows.

1. Download and install Java JDK or JRE (minimum 1.6) from here.
2. Set JAVA_HOME environment variable.
3. Download and install IAM Client tool from here.
4. Download and install ELB Client tool from here.

Installing IAM tool

Once downloaded the IAMCli.zip file extract the zip content now do the following:

1. Create an environment variable AWS_IAM_HOME pointing to IAM client folder ‘AWS_IAM_HOME=/path/to/iam/folder’.
2. Add $AWS_IAM_HOME/bin to your path (in Windows: %AWS_IAM_HOME%bin).
3. Change $AWS_IAM_HOME/aws-credential.template change AWSAccessKeyId and AWSSecretKey to yours
4. Create an environment variable AWS_CREDENTIAL_FILE pointing to aws-credential.template file ‘AWS_CREDENTIAL_FILE=$AWS_IAM_HOME/aws-credential.template’ (in windows ‘AWS_CREDENTIAL_FILE=%AWS_IAM_HOME%/aws-credential.template’).
5. If you are behind proxy change $AWS_IAM_HOME/client-config.template (this is self explanatory).
6. Create an environment variable CLIENT_CONFIG_FILE poting to client-config.template file ‘CLIENT_CONFIG_FILE=$AWS_IAM_HOME/client-config.template’ (in windows ‘CLIENT_CONFIG_FILE=%AWS_IAM_HOME%/client-config.template’).

Installing ELB tool

Once downloaded the ElasticLoadBalancing.zip file extract the zip content now do the following:

1. Create an environment variable AWS_ELB_HOME pointing to ELB client folder ‘AWS_ELB_HOME=/path/to/elb/folder’.
2. Add $AWS_ELB_HOME/bin to your path (in Windows: %AWS_ELB_HOME%bin).
3. Now login to your AWS web console create the private file. You will be prompted to download the private key file save it as my-pk.pem.
4. Now go to X.509 Certificate tab create your X509 certificate and download it save it as my-cert.pem.
5. Now create an environment variable named EC2_CERT pointing to my-cert.pem ‘EC2_CERT=/path/to/my-cert.pem’.
6. Now create an environment variable named EC2_PRIVATE_KEY pointing to my-pk.pem ‘EC2_PRIVATE_KEY=/path/to/my-pk.pem’.
7. Now create an environment variable named SERVICE_JVM_ARGS to set JVM parameter if you are behind the proxy ‘SERVICE_JVM_ARGS=”-Dhttp.proxyHost=my.pro.xy.ip -Dhttp.proxyPort=8080 -Dhttps.proxyHost=my.pro.xy.ip -Dhttps.proxyPort=8080″.

Now we are set to upload new certificates to Amazon and apply it to ELB. To upload new certificate we need following:

1. New Certificate (PEM Encoded).
2. Private Key (Used to generate the CSR PEM Encoded)
3. Chain Certificate (Optional)

Uploading the Certificate

To upload the certificate to amazon issue below command on command line.

iam-servercertupload -b domain_com.crt -c chain_cert.pem -k private.key -s NewCertificateName

Now to verify that your certificate has been uploaded successfully issue following command on command line.

iam-servercertlistbypath

This will give output as follows

arn:aws:iam::accountnumber:server-certificate/CertLB
arn:aws:iam::accountnumber:server-certificate/CertLBNEW
arn:aws:iam::accountnumber:server-certificate/UATCert
IsTruncated: false

Now its time to apply the new certificate to ELB. To do this issue following command on command line.

elb-set-lb-listener-ssl-cert –region eu-west-1 –lb mylb –lb-port 443 –cert-id arn:aws:iam::accountnumber:server-certificate/CertLBNEW

Now open your browser and go to your https://domain.com and verify that you have latest Certificate listed.