20

I have cert.pfx file, I need to install to be used in Amazon Elastic Load Balancer. How can I do it?

snowindy
  • 3,117
  • 9
  • 40
  • 54
  • Rather sounds like a question that your favourite search enginge will answer (or aws docs/customer support) – m02ph3u5 Mar 22 '16 at 14:58
  • 4
    @m02ph3u5 Because it's QA style question, and I spent over two days on getting a clear and working answer which is below. – snowindy Mar 22 '16 at 16:32

3 Answers3

39
  1. Extract private key without password. First command will request pfx password and prompt for a password for key.pem; a password for key.pem must be provided. Second command asks for key.pem password provided for 1st command.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem openssl rsa -in key.pem -out server.key

  1. Extract certificate:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

  1. Extract certificate chain:

openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

  1. Certificate chain contains several items. You may need to remove item that refers to your certificate, it's on top and it's not needed. Give a try with/without removing top item. After that the other items should be placed in reverse order.

  2. server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.

Good luck!

walkermatt
  • 338
  • 1
  • 3
  • 12
snowindy
  • 3,117
  • 9
  • 40
  • 54
  • Really make sure you provide a password for key.pem - it doesn't complain if you don't so you end up with a broken file. – tschumann Sep 30 '19 at 05:07
  • Sometimes the cert does not contain the intermediate CA certs, and the chain.pem is empty in that case. And AWS does not accept such thing. I found a solution via this article: https://chadstechnoworks.com/wptech/os/how_to_extract_root_and_intermediate_certificates_from_client_certificate.html – v.karbovnichy Aug 18 '20 at 13:12
3

you can easily convert the format of the certificate using the OpenSSL suite.

The process is very easy and a good guide is here: http://www.petefreitag.com/item/16.cfm.

About the different steps (taken from the link I reported above):

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem

# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key

Now, if you have a linux distro, it is straight forward to install openSSL (yum install openssl on an rpm based distro).

If you don't have a linux distro installed, then the quickest would be to go for a live distribution (I personally love fedora https://getfedora.org/)

I hope this helps

Todd Lyons
  • 998
  • 12
  • 19
Maurizio Benedetti
  • 3,557
  • 19
  • 26
  • What cad do a man to get some more karma on SO? Even not read the question at all, which is specific to Amazon ELB SSL. – snowindy Mar 22 '16 at 16:35
  • Actually I just wanted to help. Didn't see that the previous response was from you. My advice is to close and accept your response so that your (incomplete question) won't pop-up again in the list Have a good day – Maurizio Benedetti Mar 23 '16 at 09:07
  • I would happily mark mine as answer if SO allow me to do it. Actually I can't do it for 48h since question posting, even if it's Q/A style. Thanks anyway. – snowindy Mar 23 '16 at 11:25
-1

First go to Certificate Manager and import your certificate [cert, key, chain], then create AWS LB with existing certificate.

Jubba Smail
  • 1,201
  • 11
  • 15
  • 2
    He doesn't have a cert, key, and chain. He has a single file, *.pfx. He is mostly complaining (legitimately) that AWS doesn't allow you to import a pfx file like seemingly every other place allows you to do. – Todd Lyons Oct 30 '17 at 13:52