2

I am very new to installation of certificates and AWS itself altogether. Now, in my current infrastructure I have 3 ELBs that are in a VPC.

I have purchased a wildcard ssl certificate from COMODO through Big Rock.

What I want is that all the communication between my ELBs and the external world should be over HTTPS.

  1. How can I achieve this ?
  2. Can I install the one wild card certificate that I have on all the three ELBs ?
  3. Is there a better way of doing it ?
  4. Also since it is a wild card certificate that I have, I would not be able to use it for api.example.com but not for example.com itself (as per my understanding). However, what is visible to the external world is example.com for now (and not really api.example.com) So do I need to purchase another certificate for the above scenario ?
  5. Which type of certificate (I read about UCC SSL Certs here)should I go with, given that I also have example.in as a domain as well where the same site is hosted.

Please pardon my ignorance on the matter.

Community
  • 1
qre0ct
  • 123
  • 6
  • 2
    Try `$ openssl x509 -in my-cert-file.crt -text -noout` then examine the "Subject Alternative Name [SAN]." If you see something like `DNS:*.example.com` **and** `DNS:example.com`, then your cert should be good for `example.com` as well as the first level of subdomains. – Michael - sqlbot Dec 15 '15 at 14:08

2 Answers2

5

What I want is that all the communication between my ELBs and the external world should be over HTTPS. How can I achieve this ?

Completely disabling plain HTTP is usually not on option, but can configure your webservers to (permanently) redirect any unencrypted request from http://... to https://...

Can I install the one wild card certificate that I have on all the three ELBs?

There is no technical reason why you couldn't.

Also since it is a wild card certificate that I have, I would not be able to use it for api.example.com but not for example.com itself (as per my understanding).
However, what is visible to the external world is example.com for now (and not really api.example.com) So do I need to purchase another certificate for the above scenario ?

Yes a wild-card for *.example.com is only valid for <valid_hostnames>.example.com and neither for plain/naked example.com nor *.*.example.com will work. See this Q&A for the details.

Technically it's possible to also include the plain domain with the wildcard certificate via a Subject Alternative Name extension, making the certificate valid for both *.example.com and example.com but which SSL resellers do that automatically I don't know. So you may not need another (replacement) certificate at all.

You can check with openssl x509 -in certificate.crt -text -noout which will yield something similar to when SubjectAltNames are present:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
           ....
        Subject: ..., CN=*.example.com
           ...
        X509v3 extensions:
           ...
           X509v3 Subject Alternative Name:
                DNS:*.example.com, DNS:example.com

If that is not the case you may need another certificate to be able to use the bare domain in addition to your current wildcard. Server Name Indication (SNI) is what would be required to use two different SSL certificates and have them to work correctly on a single ELB instance.

ELB supports multiple TLS certificates using SNI -
ALB supports mutiple TLS certs using SNI
NLB now supports multiple TLS certs using SNI

PrasadK
  • 105
  • 3
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • 2
    *Technically it's possible to also include the plain domain with the certificate via a Subject Alternative Name extension* -- anecdotally, FWIW, I bought a comodo wildcard cert only yesterday, and in my CSR, I included `*.example.com` as the subject and did not explicitly request SAN. The cert was issued with the subject as indicated, and with both the wildcard and the naked domain in the SAN, so I would expect OP's cert to work that way as well by default, and support the bare domain. – Michael - sqlbot Dec 15 '15 at 13:57
  • 2
    @Michael-sqlbot Thanks! I updated my answer with your suggested approach to check for SAN entries. – HBruijn Dec 15 '15 at 14:50
2

If Wildcard SSL certificate issued to *.example.com then you can secure example.com, api.example.com and any other sub-domains with a single wildcard SSL certificate. Comodo Wildcard SSL offers unlimited server licenses and you should install certificate on your all 3 ELBs to set up secure environment on your sub-domains.

If you want secure different domain names which refer different TLDs like example.com, example.in and example.anytld then you should go with UCC SSL certificate. You can add or edit subject alternative names (SAN) anytime during the certificate lifespan.

If your requirement is securing multiple websites and its all sub-domains, then you can go with Comodo Multi Domain Wildcard SSL.

Jason Parms
  • 272
  • 2
  • 5