1

I first followed the instructions on AWS's documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html#generate-key-submit-csr

openssl genrsa -out mykey-private-key-file.pem 2048 openssl ecparam -name prime256v1 -out mykey-private-key-file.pem -genkey openssl req -sha512 -new -key mykey-private-key-file.pem -out mykey-csr.pem

But when we tried to submit our CSR, then it complained, so then I followed the instructions on rapidssl:

https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO13985

openssl genrsa -des3 -out mykey-private-key-file.pem 2048 openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem openssl req -new -key mykey-private-key-file.pem -out mykey-csr.pem

We got our approval response with the x.509 Web Server Certificate and Intermediate CA.

When I copy the mykey-private-key-file.pem into the "Private Key" field on the EC2 Management Console, then it complains that:

"Error creating certificate Unable to parse key; the body is encrypted."

I don't really know what I'm doing. I tried converting the private key like they suggest here: https://www.geekpete.com/blog/converting-ssl-pem-format-aws/ but then it doesn't match. Does this mean I have to go through the process all over again?

Improve this question

2 Answers 2

Reset to default
3

Since it took me a while to figure this out as well, I thought I would post my process here (in hopes that it saves someone some time).

This process assumes you already know how to request a certificate from your favorite certificate issuer.

You can just to a find-and-replace on "yourDomain" and then run the commands at a bash prompt. OSX or pretty much any flavor of Linux should do just fine.

# to generate a certificate request openssl req -new -newkey rsa:2048 -nodes -keyout yourDomain.key -out yourDomain.csr # Sumbit the CSR. When the CRT file comes back... # Open the cert in a text editor... # create a new file vi yourDomain.crt # press 'i' to start insert mode # paste the contents of the CRT file you received # prese ESC, then 'wq', then enter. This saves the file and exits VIM # convert the CRT you just wrote to disk into the PEM format expected by ELB openssl x509 -in yourDomain.crt -out yourDomain.pem -outform PEM # convert the private key to PEM format expected by ELB openssl rsa -in yourDomain.key -outform PEM -out yourDomain.pem.key # display the contents of the private key file and certificate file so you can paste them into the dialog when setting up the listener on the ELB cat yourDomain.pem.key cat yourDomain.pem
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Actually it was because of the copy and paste from my email. Even though I copied it into a text editor first. Totally lame error message.

But I did have to to run this step from the geekpete link.

openssl rsa -in yourwebsite_private.key -out pem-yourwebsite_private.key

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.