Configuring IIS7 and ELB for HTTPS using wildcard common name

I have recently been asked to add support for HTTPS on one of our web applications. With little to no experience on how to perform this kind of operation, my first thought was, oh, shouldn’t be too hard, take the certificate and plug it in the web server and let’s go for a drink… not really what happened. I’ll try to give the maximum details with the references to help anyone in this process.

Let’s start by the environment I am running:

  • Couple of IIS7 Web Servers
  • Amazon Elastic Load Balancer (ELB)
  • DigiCert Certificate (any trusted provider should work)
  • Wildcard domain (*.mydomain.com)

To create your certificate you will need to send a CSR to your provider.

For IIS 7 Follow the instruction below:

  1. Click Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
  2. Click on the server name.
  3. From the center menu, double-click the “Server Certificates” button in the “Security” section (it is near the bottom of the menu).
  4. Next, from the “Actions” menu (on the right), click on “Create Certificate Request.” This will open the Request Certificate wizard.
  5. In the “Distinguished Name Properties” window, enter the information as follows:
    Common Name – The name through which the certificate will be accessed (usually the fully-qualified domain name, e.g., www.domain.com or mail.domain.com).
    Organization – The legally registered name of your organization/company.
    Organizational unit – The name of your department within the organization (frequently this entry will be listed as “IT,” “Web Security,” or is simply left blank).
    City/locality – The city in which your organization is located.
    State/province – The state in which your organization is located.
    Country/region – If needed, you can find your two-digit country code at http://www.digicert.com/ssl-certificate-country-codes.htm.
  6. Click Next.
  7. In the “Cryptographic Service Provider Properties” window, leave both settings at their defaults (Microsoft RSA SChannel and 2048) and then click next.
  8. Enter a filename for your CSR file.
    Remember the filename that you choose and the location to which you save it. You will need to open this file as a text file and copy the entire body of it (including the Begin and End Certificate Request tags) into the online order process when prompted.

The full tutorial with screenshot and video is located at http://www.digicert.com/csr-creation-microsoft-iis-7.htm

You provider should then generate the SSL certificate and you should be able to download them in appropriate format for IIS. I would recommend using individual .crts in zipped format. You would find bunch of files and the one that will be of interest is the star_mydomain_com.crt. You can now complete your request on IIS by following steps 1 to 3 from the CSR request instructions and then the forth step would be to use the “Complete Certificate Request” from the option pane.

Complete Certificate Request

One important thing to note here is that if you have a wildcard domain the Friendly Name used to complete the CSR should be exactly the same as your common name : *.mydomain.com (this might not seem very important, but you will see the importance afterwards) If you already imported the certificate, you can use the Certificate Services MMC snap-in to change the friendly name of the certificate, find more on this page : http://technet.microsoft.com/en-us/library/cc753195%28v=ws.10%29.aspx

Once done, you can duplicate your certificate for use on your other IIS boxes if any and repeat the same steps.

Let’s jump to the configuration of our Elastic Load Balancer (Amazon ELB) to support HTTPS and import our certificate there. There are several technique and ways to do that. I will use the one that has been working in my case.

Find the basic reference on Amazon Web services ELB documentation http://docs.amazonwebservices.com/ElasticLoadBalancing/latest/DeveloperGuide/UserScenarios.html

Amazon Elastic Load Balancer HTTPS Setup

You will need to fill in the following fields:

Certificate Name:* – Any meaningful name to recognized your certificates afterwards

Private Key:* – RSA PRIVATE KEY

Public Key Certificate:* – Public key

This is where it becomes a bit touchy; you don’t have this information from your basic CSR or the certificate you need to use OpenSSL to generate them.

First you need to SSL Certificate / Export your private key, try these steps:

  1. Start the Microsoft Management Console  > Run mmc.exe
  2. Click the ‘Console’ menu and then click ‘Add/Remove Snap-in’.
  3. Click the ‘Add’ button and then choose the ‘certificates’ snap-in and click on ‘Add’.
  4. Select ‘Certificates’ and click ‘Add’.
  5. Select ‘Computer Account’ then click ‘Next’.
  6. Select ‘Local Computer’ and then click ‘OK’.
  7. Click ‘Close’ and then click ‘OK’.
  8. Expand the menu for ‘Certificates’ and click on the ‘Personal’ folder.
  9. Right click on the certificate that you want to export and select ‘All tasks’ > ‘Export’.
  10. A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file.

You can find the illustrated tutorial on this page: http://nl.globalsign.com/en/support/ssl+certificates/microsoft/all+windows+servers/export+private+key+or+certificate/
You need to have OpenSSL on your machine for the next step http://www.openssl.org/

Export the private key file from the pfx file

openssl pkcs12 -in filename.pfx -nocerts -out key.pem

Export the certificate file from the pfx file

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem

Remove the passphrase from the private key

openssl rsa -in key.pem -out server.key

Use the data in the server.key file for the Private Key:* required by ELB and you will now need to download a PEM version of your SSL certificate from your provide which will include all keys. Then take the first part of
—–BEGIN CERTIFICATE—–
Lots of fancy HEX here!!!
—–END CERTIFICATE—–

Copy and paste it in the Public Key Certificate:* and Amazon ELB should accept your certificate.

Update #1 for configuration of ELB:

There is also one more thing that would avoid configuration of ELB, you can just set the TCP port 443 as inbound and outbound and your web server will act as the SSL termination. This should work straight forward.

Leave a Reply

Your email address will not be published. Required fields are marked *