1

As the title says I want to have one SSL certificate for multiple instances in amazon AWS. The multiple instances are connected to the internet through an load balancer. To make an SSL certificate and to use it with the load balancer I founded this article: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html .

I read the article and if I understand it right the user connects to the load balancer which holds the certificate. Then the load balancer decrypts the traffic and sends it to the appropriate instance. Correct me if I am wrong!!

I can't recall the site I read it, but it was saying that you can never depend on the IP address of load balancer (because it may vary). If that is truth then how can the certificate live on the load balancer? An SSL certificate depends on the IP address of host too, right (besides the hostname)? Again, correct me if I am wrong!!

So either I did not recall the last part in the right way or Amazon is doing something really funny here? Any help is appreciated!

P.S. I am NOT asking on how to setup an load balancer or how to install an SSL certificate on the load balancer.

1 Answers1

3

An SSL certificate depends on the IP address of host too, right (besides the hostname)?

No, only the Hostname ("DNS-Name") is relevant for a X.509 certificate and the Application Layer. Such a certificate has a field called Common Name (CN) which holds the domain name (which also apprears in the address bar of your browser). The browser validates the certificate with the provided certificate chain and it's local store of trusted CAs and compare the Common Name with the domain the browser connected to. If everything1 is okay, the connection is secure.

The IP address is relevant for the Transport Layer to establishing the connection from your PC to the destination (Domain resolved to IP). Based on this connection, the TLS connection, including the certificate, will be established.

Thus all possible load-balancers, where the TLS-connection ends, have to hold the certificate (and the corresponding private key).

1 The are more checks done, but these are the relevant ones for your question.

sebix
  • 4,313
  • 2
  • 29
  • 47
  • Ah, ok so the IP address is not included in the validation of the SSL certificate. So the IP can change as long as the hostname keeps the same? –  Mar 21 '15 at 12:05
  • Yes, you got it. – sebix Mar 21 '15 at 12:06