0

My site works well on every browser and device, except on Android, where it throws a security exception. I already installed my SSL certificate on my Amazon Elastic Beanstalk instance (by installing the certificate on the load balancer).

It seems that I can be falling on the following case:

http://blog.michaelfmcnamara.com/2011/07/googleandroid-root-and-intermediate-certificate-issues/

It seems that I have to install a intermediate certificate.

Can anyone help me with that? I dont really know what it means

Tony
  • 445
  • 2
  • 6
  • 14

2 Answers2

2

Concatenate the files provided manually, in the following order:

  • site.com.crt
  • intermediate.crt (one or more, the order of these doesn't matter)
  • ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

If you don't have the root, concatenate the site cert with the intermediates, without root the cert. Such as:

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----

How do I Install Intermediate Certificates (in AWS)?

Community
  • 1
Brian Knight
  • 1,175
  • 2
  • 8
  • 17
  • site.com is the certificate that I am already using ? Where is the Root cert? Do I have to download from the CA? – Tony Nov 05 '13 at 17:17
  • If you don't have the root, just concatenate the intermediate cert to the site cert and then upload. – Brian Knight Nov 05 '13 at 17:20
  • I got this message from Amazon 400 MalformedCertificate Invalid Public Key Certificate. – Tony Nov 05 '13 at 19:13
  • Does your file look like the update I added above for site cert + intermediate cert? – Brian Knight Nov 05 '13 at 19:20
  • yes.... -----BEGIN CERTIFICATE----- A LOT OF STUFF -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ALOT OF STUFF -----END CERTIFICATE----- – Tony Nov 05 '13 at 19:24
  • comments doesnt preserve line breaks, but yes... it looks like your answer – Tony Nov 05 '13 at 19:24
  • I am using the following command to upload: iam-servercertupload -b full_cert.crt -k private-key.pem -s 20131105_testcert -v --aws-credential-file aws_cred – Tony Nov 05 '13 at 19:25
  • Do I have to change anything on my private key? – Tony Nov 05 '13 at 19:25
  • Are your certs in PEM format? http://www.nczonline.net/blog/2012/08/15/setting-up-ssl-on-an-amazon-elastic-load-balancer/ – Brian Knight Nov 05 '13 at 19:27
  • I am not sure, but I used to use the same command to upload the certificate and it worked fine (without appending the intermediate). Does it make sense? – Tony Nov 05 '13 at 19:30
  • I donwloaded a certificate from my certificate authority. I dont know if it's a pem format – Tony Nov 05 '13 at 19:31
  • Ok, it seems that my intermediate certificate is wrong, without that it works well. I tried to convert it to .pem and it didnt worked either. Any ideas? – Tony Nov 05 '13 at 20:53
  • GO to your certificate provider and ask for a new one. – Brian Knight Nov 05 '13 at 21:11
0

Sounds like you need to upload the intermediate certificate as well to prove it has been signed by a root authority. You must do something like the following using the AWS command line tools:

iam-servercertupload -b mydomain.crt -k mydomain.nopass.key -c my_intermediate_cert.crt -s mydomain

Alternatively, it can be done through the GUI control panel. Whoever you purchased the cert from should be able to provide the appropriate intermediate cert(s).

phoebus
  • 8,380
  • 1
  • 31
  • 30