Amazon now allows you to manage Listeners, SSL certificates and also the SSL ciphers on an existing Elastic Load Balancer (ELB).
These changes can happen via the AWS API or via the AWS web console.
You can now add new Listeners, i.e. ports to listen on. New SSL certificates can be uploaded and existing ones modified.
Below is an image showing the 2 Listeners – port 80 (http) and also port 443 (https). You can see the name of the SSL assigned to port 443. The cipher column allows for changing the SSL ciphers, this can make https more secure by only allowing the good ciphers.
Below is the console used to install a new SSL. There are fields for the SSL name, Private key, Public certificate and a Certificate chain (ca-bundle).
Below is an image for the SSL ciphers that are currently enabled. Amazon also provides some default SSL options.
Errors when installing SSL certificates:
One issue that often comes up is that the key and certificate are in the wrong format. The AWS console specifically shows it must be in PEM format. If you get the error “Error: Invalid Private Key” it means the key format is incorrect. Usually the keys are in RSA format, so they need to be converted to PEM format.
To convert the Private key PEM format :
openssl rsa -in MyPrivateKey.key -text
Now copy and paste the RSA PRIVATE KEY section including the BEGIN and END lines into the “Private Key” field.
To convert the certificate to PEM format:
openssl x509 -inform PEM -in MySSLCertificate.crt
Now copy and paste the certificate into the “Public Key Certificate”.