Wildcard Certificate
AWS requires certificates to be in PEM format for uploading
This example uses a wildcard certificate generated by IIS and issued by GoDaddy. There are better ways to create a certificate for an ELB which can be found in Amazon's documentation
1) Export the certificate as a PFX with the private key and check "Include all certificates in the certification path if possible" - use a password
2) Use openssl on a Linux box to run the following commands
3) openssl pkcs12 -in filename.pfx -nocerts -out key.pem
The command will request the Import Password
Then it will request a PEM Password - Use the same password for ease
4)openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
The command will request the Import Password
5)openssl rsa -in key.pem -out server.key
The command will request the PEM password created in the first command
Example
[root@util02 testing]# openssl pkcs12 -in godaddy.pfx -nocerts -out key.pem Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: [root@util02 testing]# openssl pkcs12 -in godaddy.pfx -clcerts -nokeys -out cert.pem Enter Import Password: MAC verified OK [root@util02 testing]# openssl rsa -in key.pem -out server.key Enter pass phrase for key.pem: writing RSA key
This can be done by the Management Console or via command line
When copying the certificates, be sure to include the headers and footers
If using command line, the cert.pem has unnecessary certificate details at the beginning of the file which will cause the import to fail
http://www.xdevsoftware.com/blog/post/Upload-IIS-SSL-Certificate-into-Amazon-Elastic-Load-Balancer.aspx
Backend Certificates
Certificates can be self signed, 'fakes' and should have expiration date of 2039
See previous post for self signed certs
Export the certificate from IIS
Use openssl on a Linux box to run the following commands
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodesOpen
Import via Management Console or command line
Create Load Balancer
Load Balancer Protocol HTTPS
Port 443
Instance Protocol HTTPS
Port 443
Choose wildcard certificate
Ciphers - Leave as default - ELBSample-ELBDefaultNegotiationPolicy
Select Enable Backend Authentication
Create Health Check HTTPS:443/application/validation.aspx - Leave other settings as default
Add instances
Setup DNS
ELBs have A records like this: loadbalancer-374828799.us-east-1.elb.amazonaws.com (A Record)
Create a CNAME stagingserviceslb.futurehealthsoftware.com with stagingservices-374828799.us-east-1.elb.amazonaws.com
External IP Addresses into IIS Log Files
There are a couple of options
If the application is non WCF - use the F5 ISAPI filter
More details - http://devcentral.f5.com/weblogs/Joe/archive/2009/12/23/x-forwarded-for-http-module-for-iis7-source-included.aspx
If the application is WCF - use the ARR Helper Module
More details - http://blogs.iis.net/anilr/archive/2009/03/03/client-ip-not-logged-on-content-server-when-using-arr.aspx
No comments:
Post a Comment