How to use *.pfx certificate for Amazon ELB SSL

Question

I have cert.pfx file, I need to install to be used in Amazon Elastic Load Balancer. How can I do it?

Answer 1

1. Extract private key without password. First command will request pfx password and prompt for a password for key.pem; a password for key.pem must be provided. Second command asks for key.pem password provided for 1st command.

openssl pkcs12 -in cert.pfx -nocerts -out key.pem openssl rsa -in key.pem -out server.key

2. Extract certificate:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem

3. Extract certificate chain:

openssl pkcs12 -in cert.pfx -nodes -nokeys -out chain.pem

4. Certificate chain contains several items. You may need to remove item that refers to your certificate, it's on top and it's not needed. Give a try with/without removing top item. After that the other items should be placed in reverse order.

5. server.key is private key in ELB, cert.pem is certificate in ELB, output #4 is certificate chain.

Good luck!

Answer 2

you can easily convert the format of the certificate using the OpenSSL suite.

The process is very easy and a good guide is here: http://www.petefreitag.com/item/16.cfm.

About the different steps (taken from the link I reported above):

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem

# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key

Now, if you have a linux distro, it is straight forward to install openSSL (yum install openssl on an rpm based distro).

If you don't have a linux distro installed, then the quickest would be to go for a live distribution (I personally love fedora https://getfedora.org/)

I hope this helps