However I want to be quite clear here, the load balancer dashboard on AWS is a bit buggy. Let's take you through the process of setting up the load balancer for SSL termination as documented by AWS:
So we first start by created the port mapping between the ELB and the instances. If you want to terminate the SSL on port 80, you can set both ports as 80 on the instance. I prefer to terminate them on different ports so I make an explicit rewrite from HTTP to HTTPS. Example: I set up instance ports to 80 and 81, the latter being the "SSL" (although in reality, internally we have standard HTTP). If someone requests resource by http, I have a rewrite to https, which will redirect to port 81 by the ELB.
After you follow the next screens (read, click click click) you get to a point where you "upload" (read, copy paste) your SSL certificates. Now this is the trickiest part, which should not be in reality - so I do not know if this is a bug in AWS or there is something wrong integration-wise with DigiCert star certificates and AWS.
The dialog asks you to enter four pieces of information:
- Certificate Name – The name you want to use to keep track of the certificate within the AWS console.
- Private Key – The key file you generated as part of your request for certificate.
- Public Key Certificate – The public facing certificate provided by your certificate authority.
- Certificate Chain – An optional group of certificates to validate your certificate.
The private key is normally called star_<domain_name>.key, the public key certificate star_<domain_name>.crt and the Certificate Chain is a concatenation of the previous two and the DigiCertCA.crt intermediate certificate. But here comes the cockup. When you arrive at this screen, just fill the Private Key and Public Key Certificate and click Create.
Once the Load Balancer is created, go to the Listeners tab and click Change SSL certificate. Upload a "new one", by repeating the same process as before, but this time let's fill the Certificate Chain. Unlike traditional Certificate Chain, AWS expects just the Intermediate Certificate here, so just paste the contents of DigiCertCA.crt.
Note: You might ask that instead of repeating the last step, why don't we just paste the Certificate Chain at the LB setup. Now this is why I stated that AWS might be buggy - if you past the Certificate Chain at the ELB setup, a cryptic error will occur stating that the intermediate certificate is not valid. This is the only way I know it works (and which I haven't seen documented anywhere in the interwebs).
To check that you have the Chain installed correctly, use curl:
╰─$ curl -v https://<domain_name>.com 60 ↵
* Rebuilt URL to: https://<domain_name>.com/
* Adding handle: conn: 0x23f2970
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x23f2970) send_pipe: 1, recv_pipe: 0
* About to connect() to <domain_name>.com port 443 (#0)
* Trying 126.96.36.199...
* Connected to omarsys.com (188.8.131.52) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* subject: CN=*.<domain_name>.com,OU=IT,O=acme Limited,L=Sliema,C=MT
* start date: Dec 06 00:00:00 2013 GMT
* expire date: Dec 11 12:00:00 2014 GMT
* common name: *.omarsys.com
* issuer: CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
The part marked in bold should state the details of the CA, signing Certificate and encryption cipher.