4

I'm totally lost so I apologize if I'm not making sense.

I need to create a load balancer in EC2 for our application servers. I'm trying make the ELB balance traffic over SSL (8443). However, it's asking me for an SSL Certificate. It looks to be asking me for a public and private key (pem encoded).

The servers behind the ELB have a keystore file, which our developers created using Oracle Java's keytool program. The file created is binary. It looks like the ELB is expecting a text, pem formatted key.

  1. Why does the ELB require me to enter a certificate? Can't the ELB just forward SSL traffic from one side to the other and let the servers handle SSL ?
  2. Are certificates/keystore file related and the keys must match on both the ELB and servers? The AWS documents said to create a private key and certificate using openssl. Can I just independently run openssl to create a SSL certificate for the load balancer and leave the keystore file on the servers alone?

Thanks in advance for your help.

EEAA
  • 109,363
  • 18
  • 175
  • 245
Classified
  • 163
  • 2
  • 6

3 Answers3

21

The ELB can be used in one of two ways:

  1. SSL termination at the ELB.

    In this mode, you'll give the ELB the cert and key. It will unencrypt the request and pass it to your servers unencrypted. The benefit of this is that you can reduce the CPU load of your servers.

  2. The ELB just acts as a passthrough.

    The ELB can act as a dumb passthrough. It won't need the cert or key. In order to set it up this way, instead of using the HTTPS option, set it as TCP port.

Community
  • 1
Liyan Chang
  • 391
  • 2
  • 4
  • 1
    thx for the answer. i'll upvote as soon as I get enough rep. and thx for the idea of making it act like a passthrough. i'll try that out, although, i'll probably try your first suggestion since that sounds like it's easier on my servers – Classified Feb 11 '13 at 22:11
  • 4
    FYI, for anyone coming back to this answer now (four years later!), you need to use a Classic Load Balancer (not Application Load Balancer) if you want to set up TCP passthrough. – mattandrews Mar 29 '17 at 21:46
4

The advantage of doing SSL termination on your load balancer is that you relieve your back-end nodes of having to perform SSL encryption/decryption.

As such, just deploy your SSL private key and signed cert to the ELB. That will take care of SSL termination, and can then proxy traffic unencrypted to your back-end instances. If you want traffic between the ELB and your back-end instances to be encrypted, that's fine, but you will still need the ELB to have your private key and signed cert.

In regards to getting your certificates and keys out of the java keystore, that's certainly possible. This Q&A over on Stackoverflow has the details.

Community
  • 1
EEAA
  • 109,363
  • 18
  • 175
  • 245
4

  1. ELB is the endpoint as far as the client is concerned. It adds metadata headers, etc. ELB can't currently serve SSL without a certificate.

  2. ELB must have the certificate that you want outward facing, but certificates on the actual instances do not have to match. They can be self-signed. You don't even need to install certificates on your instances, but data will travel in the clear over AWS's infrastructure between the instances and ELB. You can create the certificate in any way you like, so long as it's valid.

Edwin
  • 1,041
  • 7
  • 17