AWS Elastic Beanstalk
Developer Guide (API Version 2010-12-01)
AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Create and Sign an X509 Certificate

You can create an X509 certificate for your application with OpenSSL. OpenSSL is a standard, open source library that supports a wide range of cryptographic functions, including the creation and signing of x509 certificates. For more information about OpenSSL, visit www.openssl.org.

Note

You only need to create a certificate locally if you want to use HTTPS in a single instance environment or re-encrypt on the backend with a self-signed certificate. If you own a domain name, you can create a certificate in AWS and use it with a load balanced environment for free by using AWS Certificate Manager (ACM). See Request a Certificate in the AWS Certificate Manager User Guide for instructions.

Run openssl version at the command line to see if you already have OpenSSL installed. If you don't, you can build and install the source code using the instructions at the public GitHub repository, or use your favorite package manager. OpenSSL is also installed on Elastic Beanstalk's Linux images, so a quick alternative is to connect to an EC2 instance in a running environment by using the EB CLI's eb ssh command:

~/eb$ eb ssh
[ec2-user@ip-255-55-55-255 ~]$ openssl version
OpenSSL 1.0.1k-fips 8 Jan 2015

You need to create an RSA private key to create your certificate signing request (CSR). To create your private key, use the openssl genrsa command:

[ec2-user@ip-255-55-55-255 ~]$ openssl genrsa 2048 > privatekey.pem
Generating RSA private key, 2048 bit long modulus
.................................................................................................................................+++
...............+++
e is 65537 (0x10001)
privatekey.pem

The name of the file where you want to save the private key. Normally, the openssl genrsa command prints the private key contents to the screen, but this command pipes the output to a file. Choose any file name, and store the file in a secure place so that you can retrieve it later. If you lose your private key, you won't be able to use your certificate.

A CSR is a file you send to a certificate authority (CA) to apply for a digital server certificate. To create a CSR, use the openssl req command:

$ openssl req -new -key privatekey.pem -out csr.pem
You are about to be asked to enter information that will be incorporated 
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Enter the information requested and press Enter. The following table describes and shows examples for each field:

Name Description Example
Country Name The two-letter ISO abbreviation for your country. US = United States
State or Province The name of the state or province where your organization is located. You cannot abbreviate this name. Washington
Locality Name The name of the city where your organization is located. Seattle
Organization Name The full legal name of your organization. Do not abbreviate your organization name. Example Corporation
Organizational Unit Optional, for additional organization information. Marketing
Common Name The fully qualified domain name for your web site. This must match the domain name that users see when they visit your site, otherwise certificate errors will be shown. www.example.com
Email address The site administrator's email address. someone@example.com

You can submit the signing request to a third party for signing, or sign it yourself for development and testing. Self-signed certificates can also be used for backend HTTPS between a load balancer and EC2 instances.

To sign the certificate, use the openssl x509 command. The following example uses the private key from the previous step (privatekey.pem) and the signing request (csr.pem) to create a public certificate named server.crt that is valid for 365 days :

$ openssl x509 -req -days 365 -in csr.pem -signkey privatekey.pem -out server.crt
Signature ok
subject=/C=us/ST=washington/L=seattle/O=example corporation/OU=marketing/CN=www.example.com/emailAddress=someone@example.com
Getting Private key

Keep the private key and public certificate for later use. You can discard the signing request. Always store the private key in a secure location and avoid adding it to your source code.

To use the certificate with the Windows Server platform, you must convert it to a PFX format. Use the following command to create a PFX certificate from the private key and public certificate files:

$ openssl pkcs12 -export -out example.com.pfx -inkey privatekey.pem -in public.crt
Enter Export Password: password
Verifying - Enter Export Password: password

Now that you have a certificate, you can upload it to IAM for use with a load balancer, or configure the instances in your environment to terminate HTTPS.