0

I bought a SSL cert from Go Daddy and I'm hosting my website on a linux instance running nginx on AWS.

I am trying to install a SSL certificate on to an instance I have on AWS

This is my understanding of how the process works.

In order to get an SSL certificate I must create a CSR, when making a CSR a private key is also created. I submit my CSR to my CA (Go Daddy) and they use that create my cert and my cert chain. Then I put the cert, cert chain and private key into my server and thats it.

Theres two ways to do this, either directly on the server or through AWS. I'm trying to do it on AWS.

https://sg.godaddy.com/help/manually-install-an-ssl-certificate-on-my-aws-server-32075

This tutorial assumes I already have a CSR and Private key, which I don't.

So I tried the following to get a CSR

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaGetCsr.html

https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html

  1. Go to Amazon Certificate manager

  2. Create a subordinate CA (I don't know why)

    2.1. Put your details, not Go Daddy's details.

    2.2. Accept default settings for all the following pages and create

  3. Install subordinate CA certificate 3.1 Choose External private CA

    3.2 This page gives you as CSR for this CA, copy and paste the CSR into Go Daddy to key the certificate from Go Daddy to my server

    3.3 Download the newly keyed SSL cert from go daddy, put the bundle file in the certificate chain field, put the other file in the certificate body field

Now i get

MalformedCertificateException: The basic constraints extension must specify that the certificate is for a CA."

I've clearly done something wrong here. The error message seems as if I have misintreprted the purpose of this amazon feature.

and I've only got a CSR I don't have a Private Key.

when following this guide

https://sg.godaddy.com/help/manually-install-an-ssl-certificate-on-my-aws-server-32075

I get to step 8 and I dont have a private key file.

After doing some research I found these

https://superuser.com/a/1428640

https://serverfault.com/a/919007/596551

Which says I'll never be issued the private key from this method which puts me back to square one, no CSR and no private key, therefore no cert can be generated. However as per the first link I am using an Amazon Load Balancer

My questions are.

  1. Is my understanding of the process of applying an SSL certificate right?
  2. What is the correct way of applying a SSL cert to AWS from scratch?

When

hamsolo474 - Reinstate Monica
  • 103
  • 2
  • You are looking at the instructions for ["ACM Private CA"](https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaWelcome.html) which is a CA hierarchy run **on and by Amazon _for_ you** and completely incompatible with any _other_ CA like GoDaddy. The next section on that page says for "certificates you import" (from another CA) to go to https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html instead. In particular see https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html . – dave_thompson_085 Oct 14 '20 at 12:08

1 Answers1

1

I haven't read your aws doc links but I have done the certificate apply on AWS ELB, EC2 VM, apache httpd many times. You don't have to follow the aws guide if that does not sound simple to you. You can do it the old fashioned way. That's how I do it. You create a CSR with openssl command in a Linux server and private key and then get the Signed SSL from go daddy for that CSR . Later you can import the certs and private key in AWS ACM. Which you can later use it to apply to ELB or directly apply this certs and keys in web server. Simple isn't it. There are plenty of tutorials on the internet about how to generate CSR with openssl and private key, which you can get through your favorite web search engine like google. So I am not going to reiterate the steps. I leave to you to find out if you didn't know already.

bagavadhar
  • 538
  • 4
  • 14